Hello,
In Symantec Endpoint Protection 12.1, the client firewall function is separate and does not need to be installed or enabled for IPS to function.
In order to enable IPS in Symantec Endpoint Protection 11.x, you must have the client firewall portion of Symantec Endpoint Protection installed and running. This can seem like a problem if you want to run IPS but do not want to use the firewall. To work around this, withdraw the firewall policy. This ensures that IPS is enabled and protecting your network without forcing you to use the client firewall.
I would suggest you to check these Articles:
Symantec Endpoint Protection Manager - Intrusion Prevention - Policies explained
http://www.symantec.com/docs/TECH104434
Best practices regarding Intrusion Prevention System technology
http://www.symantec.com/docs/TECH95347
Hope that helps!!