Regarding the monitoring of http traffic in DLP Web Prevent, request (REQ) vs response (RESP)
As indicated in the Admin guide chapter on Web Prevent, page 894 of 11.1.2 release, you must configure at least one HTTP proxy server to forward Web requests or responses to the Network Prevent Server (Web). The HTTP proxy acts as an ICAP client to the Network Prevent (Web) Server. Symantec Data Loss Prevention supports both the request modification (REQMOD) and response modification (RESPMOD) modes of ICAP.
If you want to analyse requests as well as responses, use one Network Prevent (Web) Server to analyze requests.
Use a second Network Prevent (Web) Server to analyze responses.
Web Prevent will look at whatever information is handed over by the ICAP session from the Proxy. Could be REQ or RESP or both, but our recommendation is one Prevent server for each direction of traffic – REQ or RESP.
You need a separate Web Prevent for each direction. Never mix Req and Resp on the same Web Prevent Server. It will lead to the filereader crashing and web pages will take too long to load.