Afaik from CP TAC, APP/URL filtering rules should have no "Drop Any" rule as the last rule at all. Also, CP does recommend to remove/disable as many Accept rules in URLF/Application rules as possible. URLF/Application control accept rules serve no enforcement purposes, since any traffic which is not explicitly blocked will just be allowed. Such rules, however, do cause traffic to be matched on them - which causes high CPU usage.
So URLF/Application rules should just restrict unwanted traffic and let the rest pass. But of course i know that there may be special requirements that can not be fullfilled using that concept...
CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist