Implement a means whereby from the ASG you can scan networks for vulnerabilities.

Adding NAT rules automatically through UPnP service would be also great for home users and probably some other small companies.

A system that will identify, monitor, and protect data through deep content inspection. This will be a must have system to detect and prevent the unauthorized use and transmission of confidential information.

the country blocking is a very good idea.
we get a lot of intrusion from china to our terminalserver. the best extension would be if we could limit it to services looks like RDP, VNC

In order to make fine tuning of our product packet filter configuration easier, we should add a way to create packet filter rules with a small wizard so that if i see any packet that i want to explicitly drop or allow i can start a mini-wizard that helps to create a matching packet filter rule by either selecting existing definition objects or offering an easy way to create new definition objects, which later than get used in the pf rule..

It would be nice if we could automatically block all traffic to/from IPs identified as malicious by lists such as DSHield or Project Honey Pot.

Improve the GUI to support a drag'n'drop sort of the packetfilter ruleset or also potentially other sortable list elements..

Display the number of packets that match each rule in the table. So you can locate unnecessary packetfilter rules. Should be able to reset the hit counter(s) as needed, along with a tooltip to show the last time(s) of the previous few hits.

Extended the exceptions functionality to allow for specific rules as part of an exception.

This will allow for much more granular IPS exceptions in being able to specify a rule be disable/excepted only for a certain traffic flow, like for rule 2122 from Internet to Webserver, without disabling the rule globally or by exempting the resource from IPS fully.

the possibility to add own snort rules would be great!
Customers can add their special rules for their special needs,
so we could be more flexible and more secure.

The AxG can check the own rules via a new snort instance, if everything is fine -> add it to the ruleset.

It would easily save a lot of work if we had the possibility to make a mass-rule with "NOT" operators, like accepting all traffic for all directions EXCEPT for some host or network etc..

Like ACCEPT ANY ANY !Host"A"

It would be useful if the VoIP proxy was able to be assigned to a particular interface. If I have an internal VoIP server, it may not be on the same address as my default gateway, so it would be useful to assign another gateway interface instead of using policy based routing.

It would be nice to have the ability to define network definitions by whois AS number.
eg. you could make a definition for all the Telenet public subnets by adding a Definition Telenet-subnet with a parameter AS 6848.
The AS number database is rebuilt on a daily basis, and could be synced just like the spam, antivirus and content filter databases are synced or updated.

Engine fallback to previous file in case of a determined engine error or bad update.

arpon should be added to UTM. You would need to add the ability to process the arpon.log file intelligently and escalate to the administrator accordingly.

http://arpon.sourceforge.net/

arpon would be useful in situations where users add unauthorized equipment to the network, or ARP poisoning/spoofing is taking place.

Create bidirectional firewall rules. For example 2 Servers need to contact each other on the same ports. Now you have to create 2 Firewall rules.

Use all available public addresses on the WAN interface, even though the HTTP proxy is turned on. The reason for this feature is to keep users working, even if the primary WAN IP address is offline.

In V8 it was possible to Ping Devices behind the UTM Device, in V9 it is Disabled and could not be Enabled with a Packet filter Rule.

This function is useful for us and our Customer which has Devices behind the UTM in his own DMZ that should be monitored by Monitoring Systems etc.