Symantec Endpoint Protection (SEP) for Mac blocks WSS traffic when WCAP policy is enabled.

WCAP = Web and Cloud Access Protection, SEP's integration with Symantec's WSS without requiring a standalone WSS agent
WSS = Web Security Service

SEP for Mac

There is no default rule to allow this traffic.

Create an "Allow" rule for the required WSS traffic. See section labeled "Explicit Proxy SEP PAC File Management System or Default PAC file" in online documentation here: WSS Required Locations, Ports, and Protocols. The rule should look something like this in the Mac section of the firewall policy:

This rule is not expected to be necessary in future versions of SEP for Mac, with tighter WCAP integration allowing the traffic automatically.