Setup:

config firewall policy
    edit 1
        set type explicit-web
        set name "SharePoint"
        set uuid 3c9bf0aa-74f9-51ef-32b1-886d067caf6c
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "webproxy"
        set explicit-web-proxy "web-proxy"
        set utm-status enable
        set logtraffic all
        set log-http-transaction all
        set decrypted-traffic-mirror "test"
        set ssl-ssh-profile "custom-deep-inspection"
        set av-profile "default"
        set dlp-profile "default"
        set ips-sensor "default"
        set application-list "SharePoint"
    next
end

config application list
    edit "SharePoint"
        set other-application-log enable
        config entries
            edit 1
                set application 43947 43950
            next
            edit 2
                set application 9202 1348
            next
            edit 3
                set category 2
                set action pass
            next
            edit 4
                set category 6
                set action pass
            next
        end
    next
end

43947: app id of Microsoft.SharePoint_File.Upload.

43950:app id of Microsoft.SharePoint_File.Download.

FPX2KG-3 # diag autoupdate version | grep -i -A 6 'application'
Application Definitions
---------
Version: 28.00872 signed
Contract Expiry Date: Sat Apr 12 2025
Last Updated using the scheduled update on Thu Sep 26 10:26:53 2024
Last Update Attempt: Mon Sep 30 03:19:16 2024
Result: No Updates

In the above setup, the file download from Microsoft Sharepoint is getting blocked. But, while trying to upload the file into SharePoint, it is getting uploaded successfully even though it is blocked by application control.

Wad debug shows “Matched action=pass”:

ss[v] *uninit(-1) l0 name 'AddUsingPath(DecodedUrl=@a2,AutoCheckoutOnInvalidData=@a3,XorHash=@a4)' filetype detector sync

ss[v] file 'AddUsingPath(DecodedUrl=@a2,AutoCheckoutOnInvalidData=@a3,XorHash=@a4)' type: pdf(42)

ss[v] pdf(42) l0 name 'AddUsingPath(DecodedUrl=@a2,AutoCheckoutOnInvalidData=@a3,XorHash=@a4)' file detection done, type 42, password_protected 0

, scanunit_only 0

ss[v] pdf(42) l0 name 'AddUsingPath(DecodedUrl=@a2,AutoCheckoutOnInvalidData=@a3,XorHash=@a4)' filetype detector close

[I]wad_http_ips_output_sync :1388 http-ips=0x7fe4648a74c0(body): out sync, n_read 16375/0, end 0

[I]wad_ips_flow_match__body :662 match ctype pdf(5)

[I]wad_ips_http_msg_task_update_ips_scan_range:1956 ips scan finished, n_scanned 20935 skip-after 20480

[I]wad_ips_http_msg_task_update_app_scan_range:1938 app scan finished, n_scanned 20935 scan_range 20480

[I]wad_ips_http_on_match_app :1055 http-ips=0x7fe4648a74c0(body): Matched action=pass(0) name='Microsoft.SharePoint'(16190) group='applications2' cat=28 can_develop=1

Upon taking wad debug while uploading the file, found that the the application was identified as: 'Microsoft.SharePoint'(16190) instead of 'Microsoft.SharePoint_File.Upload'(43947).

Workaround to block the upload, change the below setting in the FortiProxy:

config ips settings

    set proxy-inline-ips disable

end

This behavior is changed from FortiProxy v7.6.1 and above.