You can now safely enable a broad set of applications with common attributes using a single policy rule (for example, you can allow your users broad access to web-based applications or safely enable all enterprise VoIP applications). Palo Alto Networks takes on the task of researching applications with common attributes and delivers this through tags in dynamic content updates. This:

Your firewall can then use your tag-based application filter to dynamically enforce new and updated App-IDs, without requiring you to review or update policy rules whenever new applications are added. This reduces the chances that new or updated App-IDs will impact application availability or that a risky application is misclassified. You aren't required to know and assess every single application and can create policy rules based on the tag. For categories with higher risk, this also makes policy rules more precise as content updates keep the policy rules current.

If you choose to exclude applications from a specific tag, new content updates honor those exclusions. You can also use your own tags to define applications types based on your policy requirements.

Apply Tags to an Application Filter and Create Custom Application Tags provide detailed steps for using the new tags.