Why does the policy not block the client hostname even when the client IP is blocked?