Some sites that should be blocked by policy are not being blocked when using the WSS Agent (WSSA), and the sites are being accessed with IPv6.

This could be caused by connections to websites via IPv6, which the Web Security Service (WSS) does not monitor.

When visiting test.threatpulse.com, it shows "Protected" because that connection is via IPv4.

You can block IPv6 traffic through WSSA by following the steps below (which will block DNS requests for IPv6 domains), forcing the connection to IPv4 when supported by the content server: 

1. Log into your WSS Portal
2. Navigate to Connectivity > WSS Agent
3. Make sure that the following checkbox is cleared (disabled): "Allow IPv6 traffic"