Opened 3-0371393181.
If you could help facilitating its resolution, I'll be much obliged.
So far, no dice. To make things even more interesting, I've just pulled the IPS update on my second Management server in a separate infrastructure and am looking at identical situation.
Unless I am exceptionally lucky, I suspect that something is changed in the way updates are behaving.
To summarize:
1. When multiple profiles, including three stock profiles are filtered to show a "low confidence" protections, only "Strict" has them in "Detect" or "Staging" modes:
2. There are no traces in the Audit Log that would indicate any changes to the behavior of the protections prior to the update that borked them:
The stock profiles were untouched and the only profile that was subjected to any kind of manipulation was the clone of the "Optimized with TE and TX removed:
The breakdown of the "Optimized_wo-TE_TX":
Does not show anything that could cause it behave the way it does.
Same goes for the original "Optimized" and "Basic".
The update that triggered this behavior is 635183954 on one of the management servers prepped for deployment:
And the same update caused same issues in another POC environment:
"Switch to version" earlier than 63513954, after application of that update, does not revert protections in "Basic", "Optimized" and clone of "Optimized" to "Detect" mode.
"Profile cleanup" with "Remove all user modified" does not revert it to normal state as well.
Has anyone seen similar behavior before or are seeing it now?
Thank you,
Vladimir