This issue is fixed in Symantec Endpoint Protection 12.1.6.4 - RU6-MP4. For information on how to obtain the latest build of Symantec Endpoint Protection, read:
TECH 103088: Download the latest version of Symantec Endpoint Protection
To work around the issue in the meantime the SEPM administrator can re-enable the firewall policy temporarily and send a command to the clients to disable / enable Network Threat Protection. Next time the policy is disabled, the clients will correctly show firewall status as "Disabled by policy" and SEPM will not report any problems.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)