Rumours says (at least the ones I have heard :P) that PANOS 5.0 will somewhat address this dependency jungle out there so you wont need to open up more than necessary. For example where you today must open web-browsing + facebook (which would allow basically any HTTP surfing which doesnt have its own appid) in a single rule you then will only need to open for just facebook. The PA would then allow a couple of web-browsing packets, enough to identify facebook and if its still not identified after a couple of packets it would deny the session. However if this is true or not or even involves the skype detection I dont know, hopefully someone from PAN can answer this? Otherwise I totally agree with you. One of (many) good things with using a PA box is the ability to block unknown traffic. But this will be spoiled if you are forced to allow unknown just to make detection of (for example) skype (among others) to work. But this whole appid stuff (no matter if its the one PAN uses or from some other vendor) is a bit sketchy - thats why you should NEVER allow "service:any" even if you use appid but set at least "service:application-default" or even better manually define which ports should be allowed. A simple test you can do on your own is if you allow web-browsing to any port for a server. Your "http-like" request can be "a b c" (that is a[space]b[space]c) followed with two enter strokes. This packet will bypass your PA and hit your server. Not until the server replies with "Error 400, Bad Request" the PA will know that "oh this was supposed to be web-browsing but doesnt look anything like it" and block the response from the server to reach the client (and at the same time drop the whole session).
... View more