PA analyses security policies from top to bottom until it finds one that matches that session, once it finds a matching security policy that is the one it's going to utilize.
Not knowing how secure you are trying to make things or anything like that, I would say lock it down to whatever it is you want it to stop. If you create a URL filtering profile that includes a custom category such as 'Streaming Media' that you've created so that Netflix, Hulu, Sling and the like are all blocked at a URL level with a block action; it's likely that you don't really care what application or what service the traffic is using, you simply want to block all traffic. In that situation you'd probably be fine leaving application and service as 'any', as there really wouldn't be any other reason to communicate with those URLs.
The policy would need to be placed before the rule that doesn't allow the user to access these websites. You can find this information by looking at the logs on the firewall, once you've verified what rule is actually blocking the traffic simply place the new rule above that one.
If you constantly find yourself putting things at the top of your security policies you're going to run into a situation where you'll start breaking things; it's best to identify the correct place for the policy and question and put the policy exactly where it needs to be at the beginning.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!