Hi,
I think you are just confusing policy based FW with zone based FW. Every firewall has a policy, even Mikrotik FW has a policy (those are all the rules together). Mikrotik can also have a zone based FW config if you are using interface lists as zones. Zones just abstract away (are just names for) mostly interfaces.
As for NGFW or UTM, there is no real definition, so without a definition its not really possible to tell about MT if it can be considered one.
The real FW vendors provide you almost all the same features today:
-stateful firewall, with multiple policies for multiple routing tables (VRFs), subpolicies
-centralised management and logging
-URL filtering (this does not rely on DNS) and you can just block groups like "Social Media", you don´t maintain those, they are provided by the vendors
-DNS blackholing
-lots of dynamic VPN stuff, like dynamically routing over the VPN link with lover latency and so on
-NAT trickery, like SRCNAT to the Internet by hash of SRC IP
-Virus scanner and even sandbox VMs for downloaded files
-TLS man in the middle (you install the CA certificate generated by yourself into all your clients, so they trust you)
-intrusion prevention (IPS or deep packet inspection)
-application intelligence (for example assigning streaming video to low priority queue and shaping it down)
-portal with different authentication methods to enable some FW rule
-nested firewall objects
-VPN client
-advanced HA + all the routing protocols
-and a few more features, but no ZeroTier or Wireguard, however they mostly have Ipsec VTI
-a hefty price tag is also included >1,5-5000$ for a small office+subscriptions for virus signatures, cloud based stuff
All the best
W
