In some cases, actions set on a vulnerability are not applied as expected. This is due to the policy inside the profile taking precedence over the individual vulnerability, if set to anything other than 'Default.'
The following is vulnerability protection profile and action for c2s is reset-both.
Let's say you have created a custom vulnerability signature to block a specific website and severity for the custom signature is critical and action is alert.
If you try to access that website, you won't be able to do so, even though the action for the custom vulnerability is alert. That's because the vulnerability profile rule for critical is reset-both. The action set in the profile rule takes precedense over the individual vulnerability action. If you want that rule to not take precedence, create an exception for that vulnerability.