After several months of monitoring your initial internet gateway best practice security policy
and tuning the rulebase, you should see less and less traffic that you want to allow
matching the temporary rules. Keep in mind that some applications are only used
quarterly or yearly for periodic meetings and events. Before you stop allowing an
application by removing it from the temporary rules without adding it to another
allow rule, make sure that it's not used only periodically and make sure that it's
not an application that's critical to your business
When you no longer see traffic that you want to allow matching the temporary rules,
you have achieved your goal of transitioning to a fully application-based Security
policy rulebase. You can now remove the temporary rules, including the
application block rules for applications that don't have a
legitimate use case and for public DNS and SMTP applications because the default
interzone-default deny rule automatically blocks that traffic since it matches no
explicit allow rules. (Keep the rules that block QUIC for SSL Forward Proxy.)