Maximizing Palo Alto Security Features vs. Traditional Firewall Approaches

How is your organization structuring Palo Alto firewall policies?

We transitioned to Palo Alto from a more traditional network-layer firewall (IP/Port-based rules), and while we've taken advantage of some of the next-gen security features, many of our policies still reflect that old approach to some extent.

With Palo Alto’s ability to inspect traffic at a deeper level, we were encouraged to move toward a more application-aware model for tighter security. I’m curious how others are managing their policies:

- Do you primarily allow only approved, low-risk applications that align with company policies?

- Or do you take a more layered approach with broad block rules and specific allow-list exceptions?

- How much effort do you put into maintaining and refining these rules over time?

- Or is there a more effective and manageable way to approach this that I may not be considering—one that doesn’t introduce unintended pitfalls?

Would love to hear the approach others organizations are taking!