Encryption free zones / APT detection
It would be nice (not sure if technically possible) if there was the ability to detect and block known encryption techniques on the local LAN.
Advisories use encrypted tunnels to communicate with C&C servers. The blocking/Alerting of any kind of none white-listed encryption would help prevent C&C communication and signify infection.
Any device requiring encryption would need to be white listed, other connections (like web browsing) would need to be performed by the UTM.