HTTPS requests are not getting filtered by the offbox content filter service
Proxied web browsers make requests for HTTPS URLs via the CONNECT method, which establishes a TCP-Tunnel through an HTTP proxy. The traffic across such tunnels is not required to be HTTPS and often is not. Such tunnels are used for passing instant messaging or file sharing data through a proxy to avoid firewall port blocking. Because this traffic is not HTTPS ProxySG describes such tunnels with a URL of "tcp://hostname.example.com/" both internally and to offbox filtering services. Some offbox filtering services do not support this type of URL and improperly allow requests through.
For best control of TCP-Tunnels use onbox filtering and policy to control requests with a client protocol of "TCP Tunneling".