In most cases, I would not recommend leaving the service/port definition as "any", particularly on inbound rules. For inbound rules, there is not really a good reason to wait to drop a session based on App-ID when you know you don't want the traffic coming in on that port in the first place. As a general rule, inbound policy should always include "application-default" or the specific port you know you have the service running on. For outbound rules, it is best to have the firewall policy reflect what your intention is. For example, if you want to allow users to run web-browsing or ssh on random ports, use "any" in the service column and they will be allowed to do that. I wouldn't necessarily recommend that, but the key is the write the policy that is appropriate for your environment. When you are protecting servers, allowing traffic on random ports is almost always a bad idea. When you are protecting users, it may still be a bad idea, but that will largely depend on your environment and the risk you are willing to allow and the threat protection you are employing on the outbound (and inbound response) traffic. Generally speaking, the smaller you can get the surface area of exposure, the better you can manage the risk. App-ID allows you to do that in important ways, but it doesn't mean you should increase the port-based surface area just because you can. Mike
... View more