The upstream FortiGate is the heart of the security fabric. It is located on the edge of the network, connecting the internal devices and networks to the Internet through your ISP.
From the upstream FortiGate, you can view information about the entire security fabric using FortiView.
Once an upstream FortiGate has been installed, all other FortiGates in the security fabric act as Internal Segmentation Firewalls (ISFWs).
An ISFW is a firewall that sits at strategic internal points of the internal network, rather than on the network edge. This allows extra security measures to be taken around key network components, such a servers that contain valuable intellectual property.
ISFW FortiGates in a security fabric send traffic and information about their devices to the upstream FortiGate, allowing network visibility.
Security Fabric configurations allow you to distribute security functions to different FortiGates in the security fabric. For example, you may want to implement virus scanning on the External FortiGate but add application control and web filtering to the ISFW FortiGates.
This results in distributed processing between the FortiGates in the Security Fabric; reducing the load on each one. It also allows you to customize the web filtering and application control for the specific needs of the Accounting network as other internal networks may have different application control and web filtering requirements. This configuration may result in threats getting through the External FortiGate which means you should very closely limit access to the network connections between the FortiGates in the Security Fabric.
Another strategy you could choose is to have flow-based inspection on the External FortiGate and proxy-based inspection used by the ISFW FortiGates.