+1 if the gigabit switch is capable of splitting the segments as well. If the two Fortigate ports are on the same segment on the switch then all bets are off.

thanks, not so sure what you mean by same segments. I have port 1 going to LAN1, port 2 going to LAN2, etc and then the others unassigned?

Are your two lans actually defined as vlan sub-interfaces on the FortiGate?

Assuming they are, which means they will be producing and accepting vlan tagged traffic, then you need to configure your (hopefully managed) switch to work with that.  If your switch is not managed there isn't a good way to do this.

If the gigabit switch is managed, you need to set up matching vlans (same vlan ID) on the switch itself, and set those so they only accept tagged vlan traffic for the two ports you connect to the FortiGate (or you could trunk it).  For the switch ports that are connected to end users you would set them up to to only allow untagged (native vlan) for one vlan or the other.

Thanks, no there defined as LANs but I've set Intenal1(Port1) to one of the LANS and then a unmanaged switch goes into this port for that network only. The Internal2(Port 2) has another separate unmanaged switch going to the other LAN.

Both are set with different network IP Addresses and cannot ping one another. I am not trying to use one switch for both LANs they each have their own unmanaged switch but in ports assigned to the correct LAN. However I'm not sure if this is enough as you mention I should have sub-interfaces or is this only if I have 1 switch trying to use VLANs? 

Without defined vlans on the FortiGate, and without managed switches that have the vlans defined, you don't have vlans, and thus don't have layer 2 separation.

This may be fine, since you're using separate switches connected to the different FortiGate ports with different subnets since the FortiGate security policies can keep the two subnets/interfaces separate from each other.

This may NOT be fine if you have some other way that those two networks might connect to each other over layer 2, say by computers from one subnet connecting to a wired network printer that also happens to generate its own WiFi access point to conveniently allow the other subnet to connect to it (run into this all the time).  Or when somebody adds another switch, or when someone on one wired subnet connects to the WiFi AP for the other subnet at the same time, or when somebody connects their dual-nic computer to two different ports, etc. etc.

It sounds like in your case you may not really need to use vlans, but as I mention above, you just need to make sure you don't have some of these possible issues.

Well basically you don't need a FortiSwitch. Each FGT can do virtual switch and vlans natively.

However FGT only handles vlan tagged traffic - in both directions (from and to FGT). So Traffic that goes form the FGT onto your vlan will always be tagged by the FGT (i.e. "Untagged" in switch terms). Traffic coming to the FGT from out of your vlan musst then be tagged too.

If you do not happen to have a managed switch capable of vlan management you cannot have the switch doing this for you. This would mean that your clients will have to do the vlan tagging.

However this is a pain in the a** on windows and mostly rather impossible on embedded devices. 

So if you really need vlans I recommend using managed switches that can do the vlan tagging on their ports.

Is there a special reason why you do want vlans?