Our Internet access is connected to a Nexus 9500 switch.  Internet traffic is passed through the Nexus to a none-Cisco firewall [master/slave fail-over] for filtering.  Data is filtered by the firewall back to the L3 switch for routing to destination.  I appreciate suggestion for enhancing network security by placing the firewall(s).  Options: 1) Directly connect the Fortigate to the ATT internet router; place the nexus behind the firewall;  2) place a perimeter ISR router as the first point of contact to the Internet, followed by the firewall, followed by the Nexus.    The nexus is connected to MPLS network and other remote sites use Internet/IPSEC tunnels to access resources at HQ.  The Fortigate terminates IPSEC tunnels. Any suggestions to enhance network security from unauthorized access through the Internet would be appreciated.
I thank you beforehand.