A flow can be blocked due to various reasons. Even if the URL is categorized as one of the normal categories, the Resolved IP address or the IP hosting that site may trigger a block. For example, in case of Web Hosting, same IP can host multiple sites and if there were some malicious activity from that IP, the IP could have a Security categorization Malicious Sources/Malnets. It is also possible that the categorization or Risk score for the affected IP was elevated due to some past activity.
An URL will only be blocked due to Resolved IP if the Resolved IP falls into Malicious Sources/Malnets category; if the Resolved IP does falls into some other category then the flow will be simply processed based on URL category (the categorization based on Resolved IP will be ignored).
If you have a case where an URL is categorized as normal category (i.e. not blocked) but the IP is being categorized as Malicious Sources/Malnets (with high Risk Score) and you know that there is no Malicious traffic or Activity from that IP, you can reach out to Broadcom Support and request a Category and Risk Score re-evaluation. It is highly recommended to take a Policy Trace in the ProxySG to confirm the root cause of the block.
Note: If the URL itself is incorrectly categorized as Malicious Sources/Malnets or Suspicious, etc. causing the block and you know that your site does not have any Malicious/Suspicious content then you can submit the request for recategorization via the 'Site Review Request' site.