@smarcyes,
I think this really depends on what you're trying to do. For instance, when I block QUIC traffic outbound to my untrust zone I may not want to just outright drop UDP/443 traffic at the very top of my rulebase. While that's usually going to be QUIC, it is used for other traffic that I might actually want to allow through. In that instance, doing it off of the QUIC app-id signature might be preferred. Keeping in mind that as soon as QUIC is identified after the traffic is going to get dropped. So while you're allowing some traffic to proceed, the firewall does a very good job of identifying the traffic quickly and dropping it.
When you're talking about something like tcp/22 in the case of SSH, depending on the zone and my intent I might not have that same concern. I might actually want to block any tcp/22 traffic to my untrust zone regardless of app-id. In that case, just dropping it from a service aspect means I don't have to allow any traffic to traverse that port. Same thing for port 445 across the untrust zone regardless of TCP or UDP, I might just want to drop all of that traffic outright.
Just to bring up as well, I don't see a general need for deny rules in most well-kept rulebases. You need to have something that would otherwise allow the traffic to be processed anyways. So in the case of SSH, that's something that I would actively have to allow, and where it is allowed in the rulebase I ensure that it's very targeted to include utilizing user-id to lock it down to specific people (or groups) to very targeted destinations. Same with the SMB example utilized in these examples; I'd argue that anything allowing SMB across zones should be heavily targeted and defined.
I see some people unknowingly allowing access to applications to their untrust zone when doing audits. Generally, this is because they created a rule that essentially says anything from trust to untrust with application any with service application-default action allow. This is pretty poor way to build outside access from a security aspect, but it's where more of these deny rules off of app-id come into play for people. I'd argue that you should be maintaining application-groups based off of set criteria when allowing outbound untrust traffic. That would be the more "secure" way of allowing internet access, and it does away with the vast majority of deny entries in a rulebase.
... View more