What is the best way to disabling only firewall on specific client via SEPM and not all Network threat protection features?

You need to create New sep group and withdrawing the firewall policy from their group.

Withdrawing or disabling a Symantec Endpoint Protection Firewall policy does not disable Network Threat Protection

I tested by withdrawing policy, as I thought it would do the required..

However, the client still had the firewall ON, when checked on client's machine under SEP Client>"Network Threat Protection settings>Firewall".

Does sep client received policy ?

also you can disabled client side

Manually disabling the NTP firewall on the client

1. Open the Symantec Endpoint Protection client interface.
2. Click Change Settings.
3. Click Configure Settings in the Network Threat Protection section.
4. Uncheck Enable Firewall and click OK.

http://www.symantec.com/business/support/index?page=content&id=HOWTO59111

were you able to modify by package? firewall is NTP what you want to keep or change?

http://www.symantec.com/business/support/index?page=content&id=TECH90936

Yes, it received the fpolicy as I observed Firewall confiuration items greyed out on client's end..

We dont want to do the same on client's end as it's unmanageable and much time consuming.

We are not modifying package.. As in my previous post.. We are looking for better ways to manage specific client firewalls (turn on / off) remotely via SEPM..

One reason is to perform temporary troubleshooting on issues that keep arising now and then..

NTP is firewall and IPS, as per my understanding..

Even though you withdrew the policy, the it's going to show "ON"

If you don't want the firewall, just remove only that component

Its not that we dont want it,.. We need many times to disable it temporarily for troubleshooting, which is time & resource consuming at times..

You can right click on a client in the SEPM and select "Disable Network Threat Protection" however, this also disables IPS, which it sounds like you don't want.

Really the only other way is to create a special purpose group without a firewall policy. Any time you need to temporarily disable the firewall, move into that group and update the policy.

Sooo, it's a known issue for the FW to still show as "On" on the SEPM for a client, while it's actually been disabled.

http://www.symantec.com/docs/TECH203713

As such, can you check what version you're running and (if affected) consider upgrading?

Regarding your initial question though, James007's first post hit the nail on the head.  Placing the client in it's own group and withdrawing the FW policy from this group is the best way to disable the FW only for a client.

All other remote methods (whether via commands from the SEPM, Altiris/SCCM/LANDesk scripts, or by PSExec'ing smc commands) will disable both FW and IPS.

The only problem is that it will take a while to take effect, as you'll need to wait for the client to heartbeat in before it will pick up the policy change.