Hi @jorgenfrejso ,
You are correct. You cannot have a rule with application-default and specific ports. You are also correct that it is a good idea to clone the rule and have 2 rules - 1 with application default and 1 with specific ports. In this case since "ssl" only has the default port of tcp/443, I would change application-default to those 3 ports - tcp/443, tcp/563, and tcp/993.
If you left the rule with "ssl" and any for the services, the security rule would allow a few packets on all ports until the application is identified. This method is the least secure.
Thanks,
Tom
Help the community: Like helpful comments and mark solutions.