Ok i have been using 3 fortigate units for some time now. At one point i had awesome contact with the developers at fortinet and felt as if i was helping to mold the way in wich the product was growing. At this point it has been hard to long that i have given my input. List of changes. 1.) Sysloging- when the forigate devices log to a syslog server we need to have the 800 character identification removed from its reporting or at least made optional. This is wasted data transfer. When you are syslogging you already have the devices ip and the log servers time when the event happend. You do not need these things of they should be made optional: Serial Number Date/time of device device name log id These should all be made optional. When you use a program like syslog to monitor several devices including the forigaste units all this extra date makes it impossible to actually see the events happen live. 2.) Nat mode needs to be reworked. Im sorry to say but anyone here who has hardware decives or software devices that can actualy read your ip and need direct communication know what i mean. When a Firewall is in Nat mode all aspects of the firewall should make it transparent to the world. No one should be able to detect its presence. A firewall is not only supposed to protect the network behind it but act as if its simply not there. I can sniff some more packets for fortinet if you guys need to so that you can see what im getting at. 3.) Spam features. well this is simple enough, Hear of the spam haus project? Well allow a light configuration for a dns query on the firewall. Check this out, when incomming mail traffic hits the fortigate it is checked with any and all RBL/XBL dns servers that the fortigate device is given an address to look at. If the fortigate gets a return from these rbl services then the connection is dropped. this not only prevents and stops listed spam sources that are updated on the fly but prevents the mail from even hitting the server. This saves on 2 things. A. the processing power neeeded to handel the spam processing on the mail server. B. the bandwith used to deliver the actual email. As we all know the connection packets are small in comparison to the packets used to deliver the message its self. Simply allowing the firewall to deny the connection would end all this. Not to mention help with the marketing. I have been making this suggestion to technical for about oah i dont know 18 19 months.