All devices use (eth1) for their capture/management, except for Monitor. I'm assuming the Monitor uses (eth1) too for its management purposes since the capture ports (eth2 &3) are RX only?
Also, does the Web Prevent device have the ability to capture in addition to prevent/monitor?
For example, could I continue to have the proxy feed the HTTP/HTTPS POST traffic to the Web Prevent device via ICAP, but in addition to that...have all HTTP/HTTPS traffic captured on (eth2 & 3)?
I sort of remember our McAfee Rep saying something about doing this to free up the Monitor from capturing all traffic. So the deviced is not being maxed out. It was suggested in addition to prevent/monitor we should capture all HTTP/HTTPS traffic with Web Prevent, SMTP with Email Prevent, and allow Monitor to capture all the other odd ball traffic. Is that correct? Or should Monitor be doing all the capturing?