Hi,
Thank you for posting in Symantec community.
I would be glad to answer your query.
First decide prior to deployment you want to use Windows Firewall or Symantec Firewall (NTP - Network Threat Protection)
If you wish to deploy SEP firewall then SEP will automatically turn off the Windows firewall after successful SEP installation.
As a best practice recommendation it is always advised to use only one software Firewall on a computer. Two software Firewalls running on a computer might drain resources and the both software Firewalls might have rules those might conflict with each other. Enabling more than one Firewall program is likely to result in conflicts and poor performance.
To prevent the above situation Symantec Endpoint Protection (SEP) installer automatically detects and disables Windows Firewall if enabled. Exception to this would be that if SEP is installed without Network Threat Protection (NTP) active Windows Firewall will not be disabled
Refer this article:
Best Practices for using Windows Firewall with Symantec Endpoint Protection 12.1
http://www.symantec.com/docs/TECH196975
If looking for best practice to deploy SEP client remotely check these articles:
About client deployment methods
http://www.symantec.com/docs/HOWTO81302
Steps to prepare computers to install Symantec Endpoint Protection 12.1 client
http://www.symantec.com/docs/TECH163112
How to prepare computers for remote deployment
http://www.symantec.com/docs/HOWTO16365
Preparing Windows operating systems for remote deployment
http://www.symantec.com/docs/HOWTO81300
Installing Symantec Endpoint Protection clients remotely
http://www.symantec.com/docs/HOWTO59432