In some implementations, Symantec Protection Engine (SPE) does not receive connections directly from the client making the scan request, and instead receives connections forwarded through an intermediate network device such as a load balancer. By default, SPE will log the IP address of the logical connection as the requesting client IP. This combination of factors makes tracing the actual requesting client difficult.

To facilitate logging the original requesting IP instead of the logical connection IP address as the source of the scan request, Protection Engine will respond to a custom x-header added to the ICAP scan request. 
The format of the x-header should be X-Client-IP: xxx.xxx.xxx.xxx

For example, a scan request coming from logical IP address 192.168.1.1 with the following ICAP options:

RESPMOD icap://192.168.1.100:1344/SYMCScanRespEx-AV ICAP/1.0
Host: 192.168.1.100:1344
Connection: close
X-Client-IP: 192.168.1.50
Encapsulated: req-hdr=0, res-hdr=52, res-body=71

Would be logged as coming from client IP address 192.168.1.50 in the SPE logs, rather than the logical IP address of 192.168.1.1.