Hi Zeeshan,
Good to hear you figured it out. Did you add your GRE interface to a zone? Connections to the router itself should match the “self” zone.
Your HTTP and HTTPS traffic matches match protocol tcp which is why it’s permitted. You could try to create an additional class-map which includes match protocol http and match protocol https, add it before your vpn-cmap class-map, and drop it. That should block your HTTP/HTTPS traffic but still inspect all other TCP traffic.
Rene