topic Re: R81.20 "HTTP parsing error occurred" / body filter failed in response in Firewall and Security Management

R81.20 "HTTP parsing error occurred" / body filter failed in response

Romaryo — Wed, 22 Oct 2025 04:49:33 GMT

Hello everyone!
We’ve encountered the following phenomenon: many websites don’t fully load when opened (for example, Reddit, GitHub, etc.). In the logs, we see the following events (see attached screenshots). At the same time, we notice HTTP parser errors, and despite the fact that we have the Allow Fail-Open mode enabled and the traffic is allowed, the sites still don’t work. In the browser’s debug console, we can see that connections for fetching *.js files are being reset.
Does anyone have any ideas about this?
Thanks in advance!

Re: R81.20 "HTTP parsing error occurred" / body filter failed in response

Lesley — Wed, 22 Oct 2025 08:34:06 GMT

I suspect based on screenshot you are running https inspection. I assume if you bypass problematic website, it works. What Jumbo take do you run? You blocked quic already? -> https://support.checkpoint.com/results/sk/sk111754

Re: R81.20 "HTTP parsing error occurred" / body filter failed in response

the_rock — Wed, 22 Oct 2025 14:52:43 GMT

I second all the points @Lesley had made.

Re: R81.20 "HTTP parsing error occurred" / body filter failed in response

PhoneBoy — Thu, 23 Oct 2025 01:16:11 GMT

Other than the fact the gateway can see the underlying HTTP connection as a result of HTTPS Inspection being applied, it's not relevant to HTTPS Inspection.
There is an Inspection Setting called Non-Compliant HTTP that can be disabled or exceptions can be set for.
This is set in Security Policies > Shared Policies > Inspection Settings and requires an Access Policy install to take effect.

There are other instances where this occurs where TAC may need to be involved.

Re: R81.20 "HTTP parsing error occurred" / body filter failed in response

Romaryo — Thu, 23 Oct 2025 06:05:10 GMT

Hi! Yes, we are blocking QUIC. We had the same effect with JHF105 and also with JHF118 (currently).

Re: R81.20 "HTTP parsing error occurred" / body filter failed in response

the_rock — Thu, 23 Oct 2025 10:28:41 GMT

Are you doing bypass?

Re: R81.20 "HTTP parsing error occurred" / body filter failed in response

Romaryo — Thu, 23 Oct 2025 11:35:11 GMT

Sure, if we set up an HTTPS inspection bypass for the affected sites, the problem is solved. But we can't bypass everything — otherwise, what's the point of having full Threat Prevention?

Re: R81.20 "HTTP parsing error occurred" / body filter failed in response

the_rock — Thu, 23 Oct 2025 12:55:54 GMT

Not saying bypass everything, but certain things may need to be bypassed.

Re: R81.20 "HTTP parsing error occurred" / body filter failed in response

the_rock — Sun, 26 Oct 2025 00:12:46 GMT

One thing I would suggest is maybe going through below.

https://support.checkpoint.com/results/sk/sk112066

Re: R81.20 "HTTP parsing error occurred" / body filter failed in response

Romaryo — Mon, 27 Oct 2025 13:05:23 GMT

Colleagues, during the process we discovered another very interesting phenomenon — for example, there is a specific link https://www.gesetze-im-internet.de/kaeano/KAEAnO.pdf : when accessing it through a browser, the connection gets "ERR_CONNECTION_RESET",

but when using curl or wget, everything works as expected

wget https://www.gesetze-im-internet.de/kaeano/KAEAnO.pdf

StatusCode : 200
StatusDescription : OK
Content : {37, 80, 68, 70...}
RawContent : HTTP/1.1 200 OK
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Keep-Alive: timeout=5, max=59
Connection: Keep-Alive
Content-Disposition: inline; file...
Headers : {[X-Content-Type-Options, nosniff], [X-Frame-Options, sameorigin], [X-XSS-Protection, 1;
mode=block], [Keep-Alive, timeout=5, max=59]...}
RawContentLength : 132767

Re: R81.20 "HTTP parsing error occurred" / body filter failed in response

the_rock — Mon, 27 Oct 2025 13:07:34 GMT

Do you have an extended log you could attach?

Re: R81.20 "HTTP parsing error occurred" / body filter failed in response

Romaryo — Mon, 27 Oct 2025 13:21:10 GMT

What is particularly interesting is that everything works perfectly if the user is connected through the remote VPN access client. Also, there is no parser error and all websites are displayed normally. The internal network and the VPN network are both included in the role. Up to L4 everything works identically. If the VPN client connects to the internal company network, the issues start again. I just can’t figure out how to debug this…

Re: R81.20 "HTTP parsing error occurred" / body filter failed in response

the_rock — Mon, 27 Oct 2025 13:24:48 GMT

https://support.checkpoint.com/results/sk/sk105559

Re: R81.20 "HTTP parsing error occurred" / body filter failed in response

Romaryo — Mon, 27 Oct 2025 14:12:27 GMT

If I make a request through the browser, then I see the event log like in picture . If I make the request using wget, then it looks like in picture (wget). Pay attention to the interfaces… how can this be explained? bond4.509 is ext. Interface.

Re: R81.20 "HTTP parsing error occurred" / body filter failed in response

the_rock — Mon, 27 Oct 2025 14:33:35 GMT

Let me try it in my lab. I thought wget would work on Gaia by default, but guess not.

Re: R81.20 "HTTP parsing error occurred" / body filter failed in response

the_rock — Mon, 27 Oct 2025 14:44:33 GMT

Works like a charm in my lab.

PS C:\Windows\system32> wget

cmdlet Invoke-WebRequest at command pipeline position 1
Supply values for the following parameters:
Uri: https://www.gesetze-im-internet.de/kaeano/KAEAnO.pdf

StatusCode : 200
StatusDescription : OK
Content : {37, 80, 68, 70...}
RawContent : HTTP/1.1 200 OK
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Keep-Alive: timeout=5, max=68
Connection: Keep-Alive
Accept-Ranges: bytes
Content-Len...
Headers : {[X-Content-Type-Options, nosniff], [X-Frame-Options, sameorigin], [X-XSS-Protection, 1;
mode=block], [Keep-Alive, timeout=5, max=68]...}
RawContentLength : 56456

PS C:\Windows\system32>

Re: R81.20 "HTTP parsing error occurred" / body filter failed in response

Romaryo — Mon, 27 Oct 2025 15:07:05 GMT

Right, everything works the same for me through wget (the file downloads and the correct TP policy matches), but on the same machine the connection is reset... when using a browser

Re: R81.20 "HTTP parsing error occurred" / body filter failed in response

Romaryo — Mon, 27 Oct 2025 15:07:58 GMT

Thanks!

Re: R81.20 "HTTP parsing error occurred" / body filter failed in response

the_rock — Mon, 27 Oct 2025 15:08:27 GMT

In my lab, bith R81.20 and R82, same machine works for the browser as well. Does any log show this is inspected by the blade?

Re: R81.20 "HTTP parsing error occurred" / body filter failed in response

Lesley — Mon, 27 Oct 2025 18:14:17 GMT

Saw this one solved today in latest take:

PRJ-62472,
PMTR-117312

IPS

UPDATE: HTTP/1.1 requests missing host headers are now processed by the non-compliant HTTP Protection feature (Strict Parsing option). Previously, such requests were dropped immediately.