Mikael, I have tested your theory and it works. I basically cloned my "Trust Web Traffic" rule which was "ANY trust to ANY Untrust, "web-browsing and ssl", but then I set the service to select and had "service-http and service-https". This I still feel is negating the purpose of the Palo Alto App-ID architecture. We are basically using the firewall in layer 3 mode and allowing ports through regardless of the layer 7 application information. The answer to this, and please jump in if you disagree, is for Palo Alto to have an application called "google-search" with dynamic TCP port range 80, 443. This would allow the traffic to which to 443 and still identify the traffic at the layer 7 level. This would then allow us to use the application-default option. Let me know your views on this.
... View more