Can you tell me if you are using domain objects to block access? If so, then it is important to understand how domain objects work. Domain objects rely on reverse DNS, so they may not always be the best option. Take a look at this KB article:
If you are simply trying to block domains, then I recommend taking a look at Smartfilter as it will look at the host header to figure out which web site you someone is trying to access, and block or allow them accordingly.
OK, now it is clear why it was not wokring as expected.
So I configured custom Smart Filter policy, attached it to firewall policy rule. In the audit I can see written "SF_action: BLOCK", but the website is not actually blocked.
What am I missing?
That is interesting. If you are seeing the Smartfilter action of block, then I would certainly expect it to be blocked. You may want to contact support at this point to troubleshoot. They will probably want to start will the full audit file and go from there.
Do you think there is a chance that the page is cached on your client or anything?
I do have to apologize, this "SF_action: BLOCK" audit was for wrong address.
I added custom website to Smart Filter policy, but in audit for that IP there is no SF action written, it seems that Smart Filter didn't catch this customization.
I will try to set it up correctly.