Symantec Identity Suite documentation state that it is possible to implement custom firewall configuration by changing this file:

/opt/CA/VirtualAppliance/custom/iptables-firewall-configuration

This article provides an example.

Release : 14.3

Component : SIGMA-Identity Suite

Please note that the /opt/CA/VirtualAppliance/custom/iptables-firewall-configuration is an iptables configuration file, and is not a script file that should contain iptables commands.

The above config file should look similar to following sample:

*filter
# Set the default policy of the INPUT chain to DROP
-P INPUT DROP
# Accept incoming TCP connections from eth0 on ports 22, 80 and 443
-A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
COMMIT

You don't need to reboot your vApp node.
To reload firewall rules you just need to restart iptables service:

service iptables restart

To check current firewall rules:

iptables --line-numbers -n -L

For details see manpage for iptables command: https://linux.die.net/man/8/iptables

14.5 https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-5/virtual-appliance/administering-virtual-appliance.html#concept.dita_484b93c7f06198e8b27adcc2537229358eb17777_CustomFirewallConfiguration

14.4 https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-4/virtual-appliance/administering-virtual-appliance.html

14.3 https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-3/virtual-appliance/administering-virtual-appliance.html#concept.dita_484b93c7f06198e8b27adcc2537229358eb17777_CustomFirewallConfiguration