You can implement a CAPTCHA challenge-response test for specific proxied client requests.

When CAPTCHA validation is implemented on the appliance:

1. A client makes a request that, according to policy, is subject to CAPTCHA validation.
2. The browser presents an HTML form including a CAPTCHA image that the user must solve.
3. A correct response verifies that the request was human-initiated. 
   1.    If the response is incorrect, the form loads a new CAPTCHA image.
   2.    If the response is correct, the browser loads the requested page and the appliance sets a session cookie.

Configuring CAPTCHA validation consists of creating the validator and form in the CLI and including them in policy.

1. Log in to the CLI, and enter configuration mode:
   1. ProxySG#>en
   2. ProxySG##conf t
2. Create a new validator:
   1. ProxySG#(config)security captcha create-validator mycaptcha
   2. where mycaptcha is the name of the validator.
3. Include the validator in policy (Local file or VPM CPL layer) using the following action:
   1. validate (mycaptcha)
4. To prevent recurring CAPTCHA challenges when an already-authenticated user changes hosts within a browsing session, include policy to use a Common Domain Cookie:
   1. validate.mode(<mode>) where <mode> is form-cookie or form-cookie-redirect.
   2. validate.mode(form-cookie )

Note: The CAPTCHA test is not invoked for future requests from the same client and to the same domain until the cookie expires.

For explicit proxy deployment review the following kb-article before configuring CAPTCHA Validation
http://www.symantec.com/docs/TECH245821