When viewing a session with the show session id CLI command, the security rule matched is "default" and the final line shows: "appid policy lookup deny".
Cause
The behavior may be caused by a policy configured with Application Default as the service. When Application Default is selected as the service on a security rule, the Palo Alto Networks firewall will first check the application of the traffic. Once identified, it will compare the port used with the list of default ports for that application. If a match is not found, the firewall will drop the session with the "appid policy lookup deny" message.
Solution
Disable the Application Default part of the rule, or modify the existing application to include the appropriate port(s).