With Symantec Endpoint Protection (SEP), in a configuration meeting all of the below requirements large delays may be observed for ICMP traffic, or ping requests may appear to be blocked when they should be allowed according to the firewall rules.

• The Reverse DNS option is enabled (under "Protection and Stealth" in the firewall policy).
• One or more firewall rules are configured using a DNS name rather than IP/MAC address as host.
• The address of the DNS server used on the network is listed in an Excluded Host in the Intrusion Prevention policy.

Ping requests may time out, or (if the -w 20000 parameter is used to increase the ping command timeout) succeed after roughly 13000 milliseconds.

Removing the DNS server IP address from the IPS Exclusions resolves the problem.