search cancel

Monitoring of http traffic in DLP Network Prevent for Web, request (REQ) vs response (RESP)

book

Article ID: 159550

calendar_today

Updated On:

Products

Data Loss Prevention Data Loss Prevention Network Monitor and Prevent for Web

Issue/Introduction

Best practice notes for monitoring http traffic in DLP Network Prevent for Web (NPW), request (REQ) vs response (RESP)

Environment

DLP 15.x

Resolution

As indicated in the Administrators Guide links below, you must configure at least one HTTP proxy server to forward Web requests or responses to the Network Prevent for Web (NPW) Server.

The HTTP proxy acts as an ICAP client to the Network Prevent for Web Server. Symantec Data Loss Prevention supports both the request modification (REQMOD) and response modification (RESPMOD) modes of ICAP.

IMPORTANT:

If you want to analyze both requests and responses, you should deploy one NPW server for each direction of traffic –  REQ or RESP..ie

  • Use one NPW Server to analyze requests (REQMOD)
  • Use a second NPW Server to analyze responses (RESPMOD).

Remember  that most proxy servers provide methods of filtering what is forwarded to the Network Prevent for Web Server in both REQMOD mode and RESPMOD modes. Consult the proxy server's documentation for details.

Mixing REQMOD and RESPMOD on the same Web Prevent Server will likely lead to the DLP filereader service crashing and web pages taking a long time to load.