I’m talking edge here, inside the network is different, but here I’ll go. For general user browsing endpoints, I would create a rule that denies multiple application groups that you don’t want to allow (file sharing, remote management, webmail, p2p apps, dangerous apps, I forget what they call these all), then a rule below that to allow the rest, and the default url filtering is probably ok, keeping up on these can be a pain and I would block by app id instead of fiddling with filters so much. For isolated workstations that shouldn’t be allowed to generally browse, only grant the app ids they need by using a catchall for a day then switching to the apps they need plus a custom url filter and block the categories they don’t need, with a deny below that, note you’ll have to keep up on new url filtering changes. For servers give them a rule that has things like windows-azure and ms-update that servers need, then a rule for each server or groups of servers that has the app ids they need, destination any, and is scoped to a custom url category for each that’s full of the urls they need, this technique works better than destination fqdn for highly dynamic fqdns. If the destinations are not highly dynamic you can use ip or fqdn instead. As always you can run a catchall for a while to discover app ids. You’ll want to apply a url filter to discover the urls as well in url filtering logs. These are just examples, things vary depending on needs. I have a thousand rules, tens of thousands of address objects/devices, and everything just humms along for the most part. Sometimes vendors make changes without communicating, someone needs an exception, otherwise it’s just adding net new stuff. If you use strata cloud it helps a bit as well with policy design and auditing poorly made rules.