In the report logs, a category which is supposed to be blocked is 'Allowed' with the scheme as 'tcp ://'
In the report logs, if you could see the allowed requests are with 'tcp://' scheme. These are the initial TCP hand-shake request that hits the proxy when the user tries to access any HTTPS site. The proxy will detect the protocol and then pass the request to SSL proxy (ssl:// scheme) and once SSL interception is completed you will see https://
The tcp:// requests will be 'Allowed' to always complete protocol detection and SSL interception. At this stage (tcp://), the proxy is not sending the request out to the internet. It is only trying to detect the underlying protocol and complete the interception.