Dear Everyone,

I would like to ask help on how can I achieve correct SEP firewall policy which will prevent clients to report to the other SEP manager in our other sites. Out current setup is 1 SEPM each site and no replication. All sites are connected via MPLS.

We're using custom port for client server communication.

Thank you for those who responded.

Your SEPM might be having a management server list assigned with the details of your site2 SEPM, remove that or block port 8014 on the fw so that it does not pass and go out to other sepm, befault communication port is 8014

Creating and assigning a management server list for a Symantec Endpoint Protection Manager

https://support.symantec.com/us/en/article.tech103175.html

Define only required SEPM server IP address in  Managed Server List (MSL) policy of corresponding SEPM. This will ensure all SEP clients reporting to that SEPM will have only one SEPM server in MSL.

I assume currently there will some clients reporting to SEPM server other than where they need to report. To resolve this you can make a group in SEPM2 server having MSL to point to SEPM1 server and vice-versa seperate group on SEPM1  with MSL to point to SEPM2. When you encounter SEP clients not in right SEPM just move them to this group, they will reach to right SEPM and right SEPM will have new MSL policy with single SEPM. 

ref link:  Creating and assigning a management server list for a Symantec Endpoint Protection Manager

Hope this solves, do let us all know your response. 

Thank you gentlemen for your solution.