search cancel

Monitoring of http traffic in DLP Network Prevent for Web, request (REQ) vs response (RESP)


Article ID: 159550


Updated On:


Data Loss Prevention Data Loss Prevention Network Monitor and Prevent for Web


Best practice notes for monitoring http traffic in DLP Network Prevent for Web (NPW), request (REQ) vs response (RESP)


DLP 15.x


As indicated in the Administrators Guide links below, you must configure at least one HTTP proxy server to forward Web requests or responses to the Network Prevent for Web (NPW) Server.

The HTTP proxy acts as an ICAP client to the Network Prevent for Web Server. Symantec Data Loss Prevention supports both the request modification (REQMOD) and response modification (RESPMOD) modes of ICAP.


If you want to analyze both requests and responses, you should deploy one NPW server for each direction of traffic –  REQ or

  • Use one NPW Server to analyze requests (REQMOD)
  • Use a second NPW Server to analyze responses (RESPMOD).

Remember  that most proxy servers provide methods of filtering what is forwarded to the Network Prevent for Web Server in both REQMOD mode and RESPMOD modes. Consult the proxy server's documentation for details.

Mixing REQMOD and RESPMOD on the same Web Prevent Server will likely lead to the DLP filereader service crashing and web pages taking a long time to load.