When reviewing logs on the Symantec Endpoint Protection Manager (SEPM) or when exporting these logs to an external logging server (syslog server), the Action field is not populated for IPS events reported by macOS clients.  Reviewing the firewall logs on the Mac itself shows an action, such as "Vulnerability Blocked"

Our Engineering team is investigating this issue and will update this document when a solution becomes available.