Hi,
Thank you for posting your query on Symantec community & would be glad to assist you here.
To keep using FTP passive mode (IIS only support this mode) rather than active mode, allow the application in firewall policy per the following steps:
1. Log in to the Symantec Endpoint Protection Manager (SEPM) > Policies > Firewall > Firewall policy > Edit the dedicated policy > Rules > Add Blank Rule
2. Edit the Application of the new (Blank rule) rule, add the application name "inetinfo.exe" to this rule.
3. Assign the newly edited policy to the appropriate client group.
Refere the following article: Symantec Endpoint Protection (SEP) firewall denies FTP access from client even if FTP service is allowed to access
http://www.symantec.com/docs/TECH165200
An overview of active and passive (PASV) FTP
http://www.symantec.com/docs/TECH80150