Working on converting from an ACL to ZBF and running into a snag of a sort. Problem is with an ISR 4331 running IOS XE 03.16.05.S.

The protocol, in this example, is using TCP port 2001, communicating with a custom API on a server. From looking at (older) documentation it seems that the suggested way to do this would be to define a custom PAM using:

ip port-map user-API port tcp 2001

Then doing our class-map/policy-map as normal:

ip access-list extended OUTSIDE_SERVER

permit ip host 10.0.0.1 any

class-map type inspect match-all OUTSIDE_SERVER-CMAP

match access-group name OUTSIDE_SERVER

match protocol user-API

The above appears to be fine in our lab on a 2921 (at least as far as configuring), however, it doesn't appear that you can define custom PAMs on the ISR4331 as you get "invalid input detected" when you try to use ip port-map user-[word].  

Is there a new/recommended way to handle this? The way it's looking at the moment I can use my existing ACL with minimal changes and point the class-map to it, but I lose visibility on the traffic. The other option seems to be to create one ACL for the address portion of the traffic and another ACL for the ports, then class-map both of them. Is there something I'm not seeing?