When adding a domain, IP or URL to the Deny list in the UI of Endpoint Detection and Response (EDR) appliance, SEP clients do not block connections with their software firewall feature.

This is not a feature of SEDR appliance. Domains, IPs and URLs entered in the Deny list are effective for the network scanning component of SEDR Appliance only. These entries are not passed to SEP clients in the form of a firewall policy.

Behavior by design.

The SEDR Appliance needs to be in Inline Blocking mode to block a client from accessing a Domain, URL or IP address (external computer) added to the Deny list.

Title: EDR 4.6 Help - How Symantec EDR applies deny list policies based on your operating mode
URL: https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-detection-and-response/4-6/about-policies-v115121914-d38e34170/how-applies-blacklist-policies-based-on-your-opera-v129134140-d38e34288.html