The SG leaves the tcp intercept mode as intercept (the default setting) and sets the watch-timeout to 30 sec (this isn't needed as it is the default). This is confusing to me. You are leaving the mode as intercept by not setting watch, but then you configure the watch-timeout.
Is the SG mistaken or am I not understanding something?
I think the answer should be:
ip tcp intercept list 100
ip tcp intercept max-incomplete low 500
ip tcp intercept max-incomplete high 1000
ip tcp intercept mode watch
access-list 100 permit tcp any host 167.x.4.119
the watch-timeout is 30 sec by default according to the 12.4 configuration guide, so it is not needed.