Information
Create security policies specifying application-default for the Service setting, or the specific ports desired. The Service setting of any should not be used for any policies that allow traffic.
Rationale:
App-ID requires a number of packets to traverse the firewall before an application can be identified and either allowed or dropped. Due to this behavior, even when an application is defined in a security policy, a service setting of any may allow a device in one zone to perform ports scans on IP addresses in a different zone. In addition, this recommendation helps to avoid an App-ID cache pollution attack.
Because of how App-ID works, configuring the service Setting to "Any" allows some initial traffic to reach the target host before App-ID can recognize and appropriately restrict the traffic. Setting the Service Setting to application specific at least restricts the traffic to the target applications or protocols for that initial volume of traffic.
Solution
Navigate to Policies > Security.
Set a Security Policy that has:
Source:
Zone set to OUTSIDE
Address set to any
Destination:
Zone set to DMZ
Address set to <DMZ IP Address>
Application set to web-browsing
Service set to application-default and NOT to any
Default Value:
Not Configured