1. Performs the WAD debug filtered with the source address. The wad debug log showed it matched the Implicit Deny policy. 

Example:

diagnose debug reset
diagnose wad filter src 10.176.5.104
diagnose wad debug enable category policy
Debug messages will be on for 30 minutes.
diagnose wad debug enable level verbose
Debug messages will be on for 30 minutes.
diagnose debug enable

[I][p:977][s:3059][r:3708] __wad_http_conn_req_classify :4713 try to match HTTPS/HTTP/FTP/SSH/DOT with nport=443
[I][p:977][s:3059][r:3708] __wad_http_conn_req_classify :4744 port=443, proto=-1, protocol not matched.
[I][p:977][s:3059][r:3708] wad_http_req_proc_policy :10193 policy result:vf_id=0:0 sec_profile=0x7f9ce35ed158 set_cookie=0
[I][p:977][s:3060][r:3710] wad_fast_match_is_enable :4111 fast matching is enabled
[I][p:977][s:3060][r:3710] __wad_fw_policy_match_user :5940 matched cached grp:NA
[V][p:977][s:3060][r:3710] wad_http_req_policy_notify :10899 notify policy match: req=0x7f9ce2d271c8 status=1 pid=977.
[I][p:977][s:3060][r:3710] wad_http_req_policy_set :10607 match policy-id=0(pol_ctx:mxhcf|Ad|7?|=d) vd=0(ses_ctx:x|Phx|Mde|Hh|C|A7|O) (10.176.5.104:52847@4 -> 180.222.114.12:443@3) -> It matched the Implicit Deny Policy.

2. Make sure the setting 'sec-default-action' is set to 'deny' in Web Explicit Proxy configuration. The reason why the traffic is accepted is that 'sec-default-action' is set to 'accept'. 

config web-proxy explicit-proxy
    edit "web-proxy"
        set status enable
        set interface "LAN"
        set http-incoming-port 8080
        set https-incoming-port 8080
        set sec-default-action accept -> Accept or deny explicit web proxy session when no web proxy firewall policy exists (Default is Deny).