A firewall policy has been created in the Symantec Endpoint Protection Manager (SEPM) to block a specific type of traffic (i.e. FTP) and this policy has been assigned to Symantec Endpoint Protection (SEP) clients.
However, these SEP clients neither block the specified traffic nor log events about it:
There is an existing Intrusion Prevention System (IPS) Policy which lists an excluded host. Clients are communicating with this host using the specified traffic (i.e. the IP address of the FTP server is included in the IPS excluded hosts list)
This is working as designed.
When a SEP client is involved in communication with Excluded Hosts, it allows all inbound and outbound traffic from these hosts, regardless of the firewall rules and settings or IPS signatures. The IPS Exclusions apply to both the firewall and IPS components within the SEP client.
The SEPM Administration Guide PDF document further explains the behavior:
Setting up a list of excluded computers
The Symantec Endpoint Protection client may define some normal Internet
activities as attacks. For example, some Internet service providers scan the ports
of the computer to ensure that you are within their service agreements. Or, you
may have some computers in your internal network that you want to set up for
You can set up a list of computers for which the client does not match attack
signatures or check for port scans or denial-of-service attacks. The client allows
all inbound traffic and outbound traffic from these hosts, regardless of the firewall
rules and settings or IPS signatures.