MWG does not strip large headers before sending to any ICAP server. The MWG itself actually accepts up to a 10MB header.
More likely what will help your situation is limiting the types of requests that get sent over to DLP. The default ruleset for example will send all GET requests which have a parameter. In some cases the DLP server only cares about the POST and PUTs, so sending GETs may be a part of the problem.
How to set if MWG want to send POST? We want to integrate with forcepoint DLP as per their support said, they only receive http post only. So, during send to their DLP we have encountered error "ICAPBADRESPONSE 500 from dlp server" in mwg-core errors.
In your ICAP rules, you can create a rule similar to the following:
Name: Don't send GET requests
Criteria: Command.Name equals GET
Action: Stop Ruleset
Place this at the top of your ICAP rules and this will stop GETs from being sent over to DLP.
Oh, we already got one for both GET's and HEAD's. And, following that is the one for CONNECT's and CERTVERIFY's.
We've also got one for Body.Size over 50MB and one for empty URL parameters (none of which is relevant to this issue).
Can you send a screenshot of it for good measure?
Not sure why you would need one for CONNECT and CERTVERIFY...
Doing a string comparison like Command.Name is minimal to no performance impact. Though I suspect that the "Skip requests that do not carry information" would catch the CONNECT or CERTVERIFY that's why I've never seen that.
I just realized, I meant to address HK's concerns. He asked how to prevent GETs from being sent over to their DLP server.
Sorry John. Did your original question get answered about the 10MB limit?
Are you still seeing performance issues even with the GET exceptions?
Your first answer was the essence of it. Thank you. The rest is all workarounds, but it's worth throwing a few ideas around anyway.