Map Applications to Business Goals for a Simplified Rulebase

Create application groups for sanctioned applications for each set of sanctioned applications—Because you know exactly which applications you require and sanction for official use, create application groups that explicitly include only those applications. Using application groups also simplifies the administration of your policy because it allows you to add and remove sanctioned applications without requiring you to modify individual policy rules. Generally, if the applications that map to the same goal have the same requirements for enabling access (for example, they all have a destination address that points to your data center address group, they all allow access to any known user, and you want to enable them on their default ports only) you would add them to the same application group.
Tag all sanctioned applications with the predefined
Sanctioned
tag. Panorama and firewalls consider applications without the Sanctioned tag as unsanctioned applications.
Create application filters to allow each type of general application—Besides the applications you officially sanctioned, you will also need to decide what additional applications you want to allow your users to access. Application filters allow you to safely enable certain categories of applications using application filters (based on category, subcategory, technology, risk factor, or characteristic). Separate the different types of applications based on business and personal use. Create separate filters for each type of application to make it easier to understand each policy rule at a glance.