For instance in an incoming Skype for Business Service you can define The Skype for business Application rules and the Firewall will automatically inspect and open the ports required by Skype. As the service is modified the Firewall will open the ports as necessary. This removes the tedious redefining of ports/IP Rules.
Rules can also be set Geographically, or by User. By using a sophisticated, agentless Content inspection engine the Firewall can limit outgoing and incoming traffic by packet content.
If you want to block Facebook chat for a specific user or AD group, except between certain hours. You can do that. It really is that granular and dynamic.