Firewall rules only work under certain conditions, and I've not had good luck with the domain blocking in SEP. For one thing, with the akaimi or whatever it's called, the IP addresses are shared. I tried to block ebay's addresses (there are a lot of them) and ended up Walmart and many other sites got blocked because of the server and address caching with the akaimi or whatever it's called.
HOWEVER, the URL won't change - say there's malware that's on www.mymalware.com and folks get redirected to that or it's a link in email and you want to block it. So you find the IP, put it in the firewall and block it today. That works for this morning - but the malware folks know they've been found out and folks are blocking them so they move to a different server........ SAME URL, different server and IP. NOW your great firewall rule won't do anything.
Enter Custom IPS signatures!
Policies, Intrusion Prevention, Custom Intrusion prevention policies
and here is a rule that blocks a phishing site:
rule tcp, dest=(80), saddr=$LOCALHOST, msg="Amazon phishing site", content="bfgzdxbj.info"
You can block specific or multiple or all ports, set specific source addresses, the content can contain a simple URL string, or be more complex as needed. They have some decent documents on creating custom IPS rules here somewhere - but I'm fighting a few fires here so don't have a lot of time to dig and post 'em sorry..........