After several months of monitoring your initial internet gateway best practice security policy
and tuning the rulebase, you should see less and traffic that you want to allow
matching the temporary rules. When you no longer see traffic that you want to allow
matching these rules, you've achieved your goal of transitioning to a fully
application-based Security policy rulebase. You can now remove the temporary rules,
including the
application block rules for applications that
don't have a legitimate use case and for public DNS and SMTP applications because
the default interzone-default deny rule automatically blocks that traffic since it
matches no explicit allow rules. (Keep the rules that QUIC.)