Most policies are ordered in a way that trusted connections and common internet services are permitted directly through ISDB-based policies, bypassing inspection. Conversely, any remaining internet traffic is routed through UTM profiles for necessary inspection.

Recently, it has been noticed that the above policies order, where the ISDB-based policy for Google is allowing access, and FortiGate is unable to block access to www.p*ornhub.xxx.

When a user accesses www.p*ornhub.xxx, this site's domain name is resolved to 199.36.158.100

The IP is part of Google's ISDB and is also allocated for Google LLC: https://whois.arin.net/rest/net/NET-199-36-152-0-1/pft?s=199.36.158.100

A record in the p*ornhub.xxx nameserver is pointing the domain to 199.36.158.100:

The below command can be used to verify the ISDB to which the destination IP address would belong:

diagnose internet-service match <vdname> <ip> <netmask>

As the resolved IP address belongs to Google ISDB, HTTPS traffic of www.p*ornhub.xxxhub.xxx is getting allowed by Google ISDB-based policy.

The solution is to apply the DNS filter for the client DNS traffic and block all DNS queries for .xxx STLD to prevent users from accessing adult category sites.

If using the DNS Filter is not possible, use the Web Filter instead. Traffic should still be blocked, as the Web Filter will inspect the actual Client Hello the user makes which will have the real domain they tried to access.
This article explores a similar scenario: Technical Tip: IPs in multiple ISDB entries - Fortinet Community.

For guidance on configuring the DNS filter based on country codes or a reference for blocking domains (such as those ending in '.xxx'), see Technical Tip: How to block the website belonging to specific country code TLD.