First: one-at-a-time, disable or withdraw the AutoProtect, Firewall, Intrusion Prevention policies (Firewall & IPS), and Device Control. Re-test after each. For this testing it is often most convenient to unlock the corresponding policies at the management console so that the local user has control over the feature toggle switches in the client UI. If symptoms do not recur after disabling a particular component then stop and focus troubleshooting on that area. If you are working with an endpoint where client control is enabled, then these policies correspond to the "Advanced" settings area in the SEP client GUI and the toggle switches there for "Protect My Mac->Automatic Scans", "Intrusion Prevention->Vulnerability Protection & Firewall", and "Device Control".

If symptoms still recur after disabling all the features as directed above, open macOS System Preferences at the client and open Network settings. Look for "SEP Network Security" service. Select it and choose "Make Service Inactive" from gear menu at bottom. Click "Apply". Ignore any "At Risk - Finish Setup" prompts from SEP and test your networking performance and note if it is improved. If so, then you have isolated the problem to the SEP macOS networking extension. 

Beginning in SEP 14.3 RU2 you can disable SEP Network security and there will be no request from SEP to re-enable it if you have also disabled or withdrawn Firewall and Intrusion Prevention (IPS). As soon as either of those policies is enabled SEP will ask to re-enabled the network content filter. Also starting with 14.3 RU2, you may disable the content filter remotely if the Mac is under Mobile Device Management (MDM): remove the approval for the SEP Mac Web Content Filter in MDM profile and if FW+IPS policy are disabled in RU2 then the "SEP Network Security" entry disappears from the macOS Network settings. If the content filter is reloaded and the local user approves it then MDM won't have any control over it and the local user must remove or disable it.

The SEP client can be deployed without the content filter enabled, under the following conditions:

1. There must be no MDM profile in place that allows the SEP Web Content Filter. All of the other MDM permissions must be in place, though. See Pre-approving the macOS permissions required by Endpoint Protection / Endpoint Security.
   
   
2. The client must be deployed as a member of a client group where IPS & Firewall are disabled or withdrawn
   
   
3. The client must installed directly from the exported installer. You cannot use a push from SEPM or a SEPRemote.pkg -- they won't cooperate and will attempt to load the network profile even though there is no need for it.