Information
Create security policies specifying application-default for the Service setting, in addition to the specific ports desired. The Service setting of any should not be used for any policies that allow traffic.
Rationale:
App-ID requires a number of packets to traverse the firewall before an application can be identified and either allowed or dropped. Due to this behavior, even when an application is defined in a security policy, a service setting of any may allow a device in one zone to perform ports scans on IP addresses in a different zone. In addition, this recommendation helps to avoid an App-ID cache pollution attack.
Because of how App-ID works, configuring the service setting to 'Any' allows some initial traffic to reach the target host before App-ID can recognize and appropriately restrict the traffic. Setting the Service Setting to application specific at least restricts the traffic to the target applications or protocols for that initial volume of traffic.
Solution
Navigate to Policies > Security.
For each exposed host, set a Security Policy exists with:
Source tab: Zone set to OUTSIDE Address set to any
Destination tab: Zone set to DMZ / Address set to <DMZ Host Object>
Application tab: Application set to web-browsing (or appropriate application)
Service tab: Service set to application-default. The value of any should never be used
Default Value:
Not Configured