As per current upgrade recommendation:
These steps are required to make sure that you don't run into problems with PAN-OS Upgrades that get too big because then the firewall does not need to combine the base and minor image into one upgrade package.
please check out this article that highlights upgrade best practices: https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-PAN-OS-Upgrade/ta-p/111045
the process is indeed as @vsys_remo explains
PAN-OS 7.1 Policy behavior change application-default In PAN-OS 7.1:
when a security policy rule is configured with the Application setting 'Any' and the Service setting 'application-default', the rule Action is now applied only on the standard ports for any application. For example, if a security policy rule is configured to allow any application traffic on the default application ports, web-browsing is allowed only on port 80. In earlier PAN-OS release versions, the Service setting 'application-default' was not enforced when configured with the Application setting Any.
As per my experiance i had changed all of security policy rules were configured with the Application Service setting 'application-default' to any to.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!