The Symantec Management Platform and the agent on the client communicate in both directions. So, incoming connections are required for proper functioning. When installing the Symantec Agent for Macintosh on a client computer that has the firewall enabled, the system will prompt the user to allow or not allow incoming connections. Selecting 'Allow incoming connections' when prompted will open other ports required by the agent.
If the user does not allow for incoming connections, the agent may appear to run properly initially but will not receive task notifications, etc. and subsequent plug-ins for inventory, software management and other solutions will not install.
Is the Symantec Management Agent signed by a valid certificate authority?
The Symantec Management Agent is not currently a signed application. Thus, a user is prompted to allow for incoming connections. If the agent were signed, there would be no prompt to allow incoming connections.
Note the following comment in this Apple KB article under "Configuring the Application Firewall in Mac OS X 10.6 and Later": http://support.apple.com/kb/ht1810
2. Automatically allow signed software to receive incoming connections
Applications that are already signed by a valid certificate authority will automatically be added to the list of allowed applications rather than prompting the user to authorize them. For example, since iTunes is already signed by Apple, it will automatically be allowed to receive incoming connections through the firewall.
Symantec is currently researching this as a feature request.