A managed Symantec Endpoint Protection (SEP) 12.1 client is displaying the firewall component as enabled when opening the client interface, clicking on Change Settings, and then clicking Configure Settings for the Network Threat Protection (NTP) component. However the firewall policy applied to this client by the Symantec Endpoint Protection Manager (SEPM) is disabled. What is the true state of the client firewall in this scenario?
This is expected behavior in SEP 12.1, 12.1 RU1 or 12.1 RU1MP1. When the firewall policy is disabled within the SEPM console, the client firewall is for all intents and purposes disabled at that point, and put into passthru mode so that no traffic is evaluated against the firewall rules. However the client will still continue to show the firewall as being enabled within the GUI, and this is expected behavior.
Note that in SEP 12.1 RU2 this is no longer true. When working with this version, if a firewall policy is disabled within SEPM, then managed clients using that policy will show their firewall as disabled under the NTP settings.