Wireless: Rogue access point detection
The UTM should be able to detect rogue access points surreptitiously added to the network.
This would be a major selling point for wireless protection - even if it is only to alert an administrator of the detection of a rogue B/SSID. DEAUTH capabilities would be even better again!
We scan for MAC adresses to do this, but some users will actually change their MAC address to spoof a desktop, killing the process. Then you'd wan't to detect the NAT used on that port, but that would also trigger on wanted NAT devices, then you'll want a whitelist for those, or have a strict corporate policy to restrict the amount of IP adresses that can be served on one switched port. But then those stations running VMs will trigger false positives and you'll have to maintain another whitelist for those. In an ideal scenario/world, you would perform internal network discovery on a regular basis, to detect what is being hooked up on your network and actually KNOW what's on your network. The most secure option is still a NAC, since unautorised devices simply won't work and that should kill your rogue Wifi router problem.