I don't believe you will ever really get rid of this rule and I personally wouldn't be too worried about it. To actually strictly use app-id on untrust based traffic you would essentially need to create a rule that incorporated every single app-id but those that you did not wish to allow from your trust to your untrust zone. This wouldn't be that hard to do, but maintaining this rule would take a lot of work as any app-id that PA identifies in the future would also need to be entered into this rule if you wish to allow access.
Depending on your security requirements it's likely not worth the time to actually attempt to fix this rule; 98% of enviroments that you visit will have the exact same type of rule assigned to their trust to untrust zones. Make sure that you have a good security profile assigned to this rule and call it done.
@BPry that is where Application Filters help you out.
Instead of creating static Application Groups you create dynamic Application Filters.
just gonna leave this here : What are the recommended applications for internet access? :)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!