Going through the configuration, you don't need LACP trunk group. So remove following command:
trunk 28 trk1 trunk
All access ports will be untagged for specific VLANs and all trunk ports will be tagged for desired VLANs.
I am assuming you have port 28 connected to UTM, so 28 will be tagged for all VLANs.
Also, sanity check.. ip default-gateway 192.168.120.2 is not required once you have enabled routing and "public" SNMP community to be changed.