Source client IP address gets blocked but the hostname is not blocked in the VPM policy rule. 

In the source, client hostname is used

The ProxySG must perform a Reverse DNS lookup to resolve the IP address to its hostname. In the event that the ProxySG is unable to resolve the IP address to its hostname, the policy cannot be enforced and the request is not blocked.

To verify what is happening, you can take a packet capture (PCAP) on the DNS query for a reverse DNS lookup based on IP.

Alternatively try nslookup on any other machine on the same network segment.

Also, note that reverse lookup is done for ip address presented in the ip header of the packet and if the client ip is advertised in the X-forwarded-for header or any http header, this will not work