When I shoot up labs with FortiGate firewalls in my local environment, I usually connect port1 to the inside because it allows access (PING, HTTP(S), SSH, FMGR) by default; in other words all the other ports are protected with factory default settings.

However when a FortiGate NVA (Network Virtual Appliance) is created on Azure, port1 gets assigned to the outside and port2 to the inside (check the IP addresses on the figures below):

Though it looks like a security flaw (management port on the outside), there are good reasons for this behavior:

1. Even NVA’s are protected by NSG’s (Network Security Groups). You have to set up your access lists before you can access the FortiGate web interface; i.e. it’s not exposed by default.
2. How would you access the web interface if you haven’t created any VMs in your subscription yet and your firewall’s internet facing interface shuts off all incoming traffic?

Anyway if you want to “stick to the traditions”, just swap the subnets when creating the NVA; set your inside subnet as outside and vice versa, then adjust the static routes (aka UDR’s, User Defined Routes):