...
In the case of BloxOne Threat Defense Cloud, security policies having network scopes defined based on tags will continue to function even after the tags used to define the scopes have been revoked. For example, if an endpoint group has a tag key of Country and a value of India, then the rules in any security policy having the endpoint groups scope defined based on these tags will continue to work even though these tags are revoked. However, the Cloud Services Portal will show the tags as being revoked for the object. If tags are reactivated, then the tags will re-associate with their respective objects. The exception to this behavior is when revoking a tag associated with an IPAM scope. In the case, revoking a tag associated with an IPAM scope makes policies based on tags no longer work. This is because the IPAM Sync job is no longer receiving the tag information from the DDI APIs. If tags are revoked, then the tags field in dfp_address_scopes will be set to null in such a case.
To deactivate a tag, complete the following:
...