Add the ability to connect to the wifi network / hotspot using your AD credentials.
The “company” wifi network can then be accessed using your credentials and when an account is removed or disabled you also cannot connect to the wifi anymore. With that feature you don’t have to change the wifi code whenever a person leaves the company. Maybe also add AD group membership so you can easily grant a select group of people access to your wifi network.

Allow for multiple domains per set of DNS servers.

As it is now i mostly add some internal domains to it and say which DNS servers it needs to use for it as also the in-addr.arpa zones. Now i need to make a new set for every domain which is very tiresome and unnecessary if i could just say use these DNS servers for these domainS.

Customers request support of WCCP for redirecting traffic flows in real-time to an out of path appliance installed. Please add support for this.

I would like to see an option to deny or allow certain ip adresses that can access the webservers. Not only based on country but on the ip adres itself.

Hi,
time based application filtering would be very nice, for example make it possible to use facebook apps at lunch time but rest of day block it

Outdoor Wireless APs for mesh networking on outdoor environments.

It would be great to know the status of the internet connection uplink(s) in use on our RED sites. Especially with the 3G/UMTS option, perhaps a way could be found to display the signal strength as well for extra benefits?

Include sophos endpoint style category application controls in the management features of UTM.
This will complement network based application detection and control.

It would be nice if we could create for the blocking a group of URLs, which may be analogous to the block "URL Filtering Categories" in the "Filter Actions". For example, the URL's to be blocked must not enter in every profile under blacklist.

In addition to passwords for entry via the wireless captive portal, it will help us if QR Codes can be printed on vouchers too.
Users with smartphones are able to scan the QR code with the mobile phone, which contains an individual URL to activate the session, equivalent to typing in the vouchers passcode in the captive portal.

Normally you can only check username and password (in extension a certificate ) during remote access authentication. There is no ability for checking the environment of the user, f.e. what device is he using, AV running and up-to-date, Firewall on, not using special applications, etc. .
There must be a applet used during clientless SSL-VPN access for checking the user environment against important security functions and after checking the user has to match into a security zone. Depending on which zone the user lands, there are different rules working for access the internal site.

Google supports a ways for organizations to limit which Google Apps domains users are allowed to visit. This is done by adding an HTTP header to outbound requests containing a list of allowed domains.

http://support.google.com/a/bin/answer.py?hl=en&answer=1668854#providers

Please, give a way to display all available live logs together of all services in only one single window

In the daily report which is sent to me by mail the IP traffic is mentioned in the first line as "Traffic Processed".

With multiple internet uplinks, VPN "interfaces", RED's, and Wireless AP's, it would be great if you could break down that total and show me some interface summaries for this!

When the DHCP server is configured with a large scope - say a capability of a range of 200+ leases. then it can be very difficult to determine how many leases are currently active, especially when leases that have already expired are still shown in the table. One has to manually count the entries in the table. It would be wonderful if a counter was available at the top of the lease table showing the number of current active leases.

Passing the authentication credentials from 802.1X WPAx enterprise authentication to other UTM modules would enable seamless SSO for wirelessly connected devices and would be particularly useful for authentication of mobile devices.

being able to specify a 'root' domain name, or pattern, as a network definition, that could then be used in a traffic selector for bandwidth shaping, would help greatly. content delivery networks use hundreds of hostnames, but usually stick with one 'root', example: 'something.nflximg.com' or 'something.llnwd.net' by specifying something like "*.llnwd.net' as the source, we could then limit the traffic as desired.

Please implement data compression ability for RED Tunnels. This would allow more effective throughput using RED devices with slow internet connections - especially with slow uplink speeds, and also saving RED Bandwidth on Internet Uplink on HQ if there's for example heavy usage of good compressible content as HTTP traffic, SMB access etc.

Currently for a service you can only have a range of ports or a single port. Some applications will use a range of ports in addition to a few single ports that are outside of the range, or for example 3 totally separate ports.
In the service definitions I have to create a seperate definition for each single port and each range port, then group them together. You should be able to specify any number of ports in the same service definition with commas and colons like this"2000, 4000, 3100:3200"