Source client IP address gets blocked but the hostname is not blocked in the VPM policy rule.
The ProxySG must perform a Reverse DNS lookup to resolve the IP address to its hostname. In the event that the ProxySG is unable to resolve the IP address to its hostname, the policy cannot be enforced and the request is not blocked.
To verify what is happening, you can take a packet capture (PCAP) on the DNS query for a reverse DNS lookup based on IP.
Alternatively try nslookup on any other machine on the same network segment.