We'd like to see the ability to block inbound but especially outbound traffic based on Geo Location of IP address. Doing it in CIDR blocks and per IP can be taxing, and trying to ID based on categories of web or apps can also be hard. If we could say "No web or app traffic should go out to Russia at all regardless", for example, that would help some of the malware call home and other stuff we see with our clients' user base. Including one place to go for CIDR or individual IP blocks would also help.
Either bake it into the Web filter, App filter, or make it a separate rack that would win over the Web and App filters, but Geo Location IP Blocking would help. We use it now with Trend Micro email filtering and has saved a ton of extra "junk" coming in so extending that sort of functionality into the firewall would be great.