Dear Mohammad, Firewall is not just a device to block ports, it also controls sessions, attacks and bad form of traffic, it also give you a lot of capability like traffic shaping, a lot of form of NAT, source based routing, Redundant route and a lot of more PER EACH POLICY.
If you just need to block some tcp or udp ports for some addresses in your networks, you wont need that kind of firewall and you existing L3 switches are just fine, and you can write a policy.with ACLs
If you want to control more on your policy just like a real firewall, you'll need it.
The best structure is depend your needs and applications, if you want to have a lot of control on you policy and client access and attacks and blah blah blah use your first structure.
But if you want to just need some basic access rules between internal or trusted VLANs use ACLs on you core switch, and use firewall for connection between all clients and servers
Anyway your firewall is critical in both structure, and if it fails you will lose your connection to your other parts of your networks.
So consider two thing:
1st: Use firewall devices that have very stable hardware, my recommendation is Juniper so the possiblity of failure is minimum
2nd: Use secondary firewall as redundant, so if one of them goes wrong the other one is still there. not all firewall support redundancy protocols, and this kind of configuration. Cisco and Juniper both support this
You can check the Juniper website to choose right firewall depends on your throughput and traffic
SSG firewall is good for your need, SSG 140 for example
notes:
use modular firewall so you can add additional SFT or Ethernet modules
For example for SSG 140 the part numbers can be this:
1: SSG-140-SH(its firewall itself)
2:JXU-6GE-SFP-S this is 6-port SFP module
I don't have exact price it begind from 1000,000 tomans to more that 10,000,000 it depends on your firewall model, modules, and licenses that you want
Good luck