Is this an unmanaged client? If so,
Open the SEP GUI
Under Network Threat Protection select Options >> Configure Firewall Rules
Click Add
Give the Rule a name and for the Action select Allow this traffic
On the Hosts tab, you can either enter the IP of the switch ort leave it at all hosts
On the Ports and Protocols tab select the UDP protocol. For Local Ports click the dropdown and select TFTP (69)
Click OK and move the rule to the top.
That should be it.
http://www.symantec.com/docs/TECH105725