Some sites that should be blocked by policy are not being blocked when using Unified Agent (UA).
This could be caused by connections to websites via IPv6, which Web Security Service (WSS) does not monitor. When visiting test.threatpulse.com, it shows protected because that connection is via IPv4.
You can block IPv6 traffic through UA by doing the following:
This will block DNS requests for IPv6 destinations.