Ability to tune & define WAF rules
The ability to have fine-grained control over which WAF rules report & block would make it far easier to perform a gradual implementation. Custom WAF rules would allow users to use the UTM for "external patching" - mitigating known vulnerabilities when it is not possible to patch the application immediately.
This would need to be combined with the ability to report and alert on WAF blocks & triggers to be useful.
Clayton Dillard commented
I agree fully. A WAF that you cannot tune is useless. I posted a very similar suggestion a year or more ago. I cannot understand why this is not a top item for customers who need to protect web apps.