User in China can connect WARP client and ping network devices but can't internal websites

I have a tunnel configured that delivers several Applications over HTTP/S.
Currently, there are around 10 active users using the services without issue.

One particular user is located in China. When he connects to the WARP client, he is able to ping our internal DNS servers, and the web hosts, but he cannot visit the web applications in a browser.
He sees HTTP error 502 , but I don’t see that he’s been blocked when I look in the log.

If I use our Anti Virus software (Sentinel One) to remotely run a Shell command “Curl” from his PC, I see that it says “This site is blocked” and it continues to give me a “Rule ID”, which matches my “Block all” rule (The bottom rule in my firewall rules).

I’m 100% confident that I have given his username permission to see the applications.
When I look in “My Team → Users” and click on his name, under " Session management" it says “Number of active sessions = 0” and “Number of active devices = 1”.

He has the WARP client on, and I can ping from his machine using the remote shell, so how do I get the “active sessions” to be 1?

Any other advice appreciated.
Thanks for reading. :wink: