At one point in the past I was running Boinc and Thunderbird in network restricted AppVMs. The sys-firewall was set to the default deny mode so that I could prevent connections to anywhere except the specific servers I gave it permissions to. I had a python script that ran tcpdump in a pipe and read the output and then auto-generated the qubes firewall commands needed to open the firewall, but I manually chose which addtesses to actually allow.
When the firewall blocks a packet it sends a specific ICMP packet back to the AppVM containing the address/port that was blocked. I simply filtered for and read those packets from tcpdump and printed the appropriate ‘add’ command to stout in a terminal so I could then copy/paste that command to another terminal window to add the address/port once I investigated why the requesting program might have needed that connection. It would be trivial to add a gui with a click-to-add button.
This could likely be done on the internal interface in sys-firewall (untested) or in the AppVM (where you could also check which process was using that port number, e.g. netstat -pan) depending on the trust level in your AppVM. One could put this in a batch learning mode to collect all these commands during a test run and then add them to the sys-firewall permanently once verified.
As for performance, you only need to monitor it periodically if the app stops working, like when they shift to some other round-robbin server. You could easilly run it as a cron job at night to see what connections had been tried while you were not there. There is however limitations on the number of rules you can add so you might need to change individual addresses into network blocks once you start having those resource limiting issues. Thunderbird for instance tried to check for plug-ins at lots of different addresses.