Troubleshooting Tip: FortiGate do not Inspect Web Traffic for Web Filtering and no Web Filter logs are shown

On this deployment, firewall policy and web filter are configured with the following parameters. 

 
Social Networking has action BLOCK on the Web Filter Profile. URL Filter for '*facebook*' is also in place.

However, users are still able to access Social Networking sites. In addition, the debug flow shows that FortiGate is not sending the traffic to the Application Layer for further checking/inspection.

id=65308 trace_id=1061 func=fw_forward_handler line=1009 msg="Allowed by Policy-1: SNAT"
id=65308 trace_id=1061 func=ip_session_confirm_final line=3112 msg="npu_state=0x100, hook=4"
id=65308 trace_id=1061 func=__ip_session_run_tuple line=3451 msg="SNAT 192.168.10.5->10.47.1.80:56157" 

Checking the Forward Traffic logs shows that traffic to Facebook (or blocked URL) is allowed. There are no Web Filter logs shown.
 

One of the possible reasons for this behavior is the misconfigured Protocol-Options. Protocol-Options is used by Proxy Inspection mode to determine the protocol to inspect.

Further checking on the protocol-options shows that the Firewall Policy is using a custom one. In which HTTP is disabled. 
This means that HTTP is not being inspected by firewall policy.

Upon enabling the HTTP on Protocol-Options, web filtering works as expected. 
It is also possible to verify from debug logs that traffic was sent to the Application Layer for inspection.
Web filter logs are also showing on the FortiGate.

id=65308 trace_id=1735 func=fw_forward_handler line=1009 msg="Allowed by Policy-1: AV SNAT"
id=65308 trace_id=1735 func=ip_session_confirm_final line=3112 msg="npu_state=0x100, hook=4"
id=65308 trace_id=1735 func=av_receive line=446 msg="send to application layer"