If your custom app will have a port number, then it is your choice. As I said earlier "any" will allow your custom app on any port (not recommended), "application-default" will allow your app only on the defined in custom app port number or range. https://live.paloaltonetworks.com/t5/Learning-Articles/Tips-amp-Tricks-What-Does-Application-default-Under-Service-Mean/ta-p/54167 What do they mean? Any - This simply means all ports: 1-65535, TCP or UDP. The selected applications are allowed or denied on any protocol or port. Select - This means that you will have to specify exactly what TCP or UDP port that the application you want to allow or block is going to use. Choose an existing service or choose Service or Service Group to specify a new entry. Application-Default - Choosing this means that the selected applications are allowed or denied only on their default ports defined by Palo Alto Networks. This option is recommended for allow policies because it prevents applications from running on unusual ports and protocols, which if not intentional, can be a sign of undesired application behavior and usage.
... View more