I've not tried it, but theoretically your suggestion makes sense.
Even though the Facebook rule, using the Facebook application, will show the protocol/port as TCP/80, the AppPrism signature is the element which determines whether the traffic it is seeing pass over port 80 is actually Facebook or not.
So, based on your rule logic anyone trying to perform generic web browsing may hit the Facebook rule momentarily (as it is using tcp/80), but the AppPrism signeture will confirm that it is not Facebook. The traffic will then pass to the next rule in the list which is for generic HTTP, but is a deny rule.
Where this becomes a bit more tricky is (as I would assume) you do still want to allow users to web browse. Your current logic would not allow this - as you are denying HTTP. A rule will need to be in place to allow this and anything conforming to the HTTP protocol standard will be allowed to use this rule, which could be seen as a bit of a catch-22.
The AppPrism signature database is running at 1366 signatures (and counting). If you want to allow HTTP web browsing, allow Facebook, but deny other generic HTTP-aware web applications you could look to see whether they are present in the signature database and create an explicit deny rule for the group of applications in question.
The Facebook application will pass all HTTP traffic that does not match another Application the firewall already has a signature for.
- Make a rule that Allows the 'facebook' application out.
- Try to go to Facebook - you're allowed.
- Try to go to CNN.com - you're allowed.
- Try to go to Google News - you're denied.
- Try to go to Yahoo Finance - you're denied.
- Try to go to the Yahoo homepage - you're allowed.
The firewall has application signatures for Google News and Yahoo Finance, so it will not allow you to browse to those sites. It does not have signatures for CNN or the Yahoo homepage so you are allowed to browse to those sites. This is regardless of the 'Application Discovery' setting in the Zone configuration (which is for auditing).
If you want to Allow and Block specific sites then SmartFilter is the best option here.