RU2 clients that are installed with the Firewall component, but that have the Firewall policy withdrawn, are reported within the SEPM's Home Security Status (and Clients -> Protection Techonlogies) as having NTP disabled.
This does not affect 12.1RU1MP1 clients reporting to a RU2 SEPM, which report the Firewall is enabled even if the FW Policy has been withdrawn as per:
http://www.symantec.com/docs/TECH162868
From a technical view, I'd assume the above article is still correct as IPS is still in enabled and in use. But the way the client reports its status to the SEPM has changed.
Ideally we want the SEPM to be able to differentiate between a client's SEP firewall being disabled by the FW policy being withdrawn (SEP Administrator does not want the client FW to be on), and the FW being disabled by the end user (SEP Admin wants the FW to be on, but end user has disabled it and has the power to do so). I've created this as an "Idea" as below:
https://www-secure.symantec.com/connect/ideas/differentiate-between-different-sep-client-fw-states