Enforce: Gateway Setup
Block AI agents at the edge with zero code changes using DNS-based enforcement
Goal
Set up Checkpoint Gateway to enforce AI agent policies at the DNS/edge level — no code changes required. By the end of this cookbook, you'll have:
- Traffic routing through Checkpoint's edge network
- WASM-based detection running on every request
- Automatic SSL/TLS certificate provisioning
- Policy enforcement (block, redirect, challenge) for detected agents
Best for: Protecting any website or API without touching application code. Works with any origin server.
Prerequisites
- A Checkpoint account with a project created
- A domain or subdomain you control
- Access to your domain's DNS settings
Time Estimate
10-15 minutes (plus DNS propagation time)
Steps
Create a Gateway in the Dashboard
-
Log into your Checkpoint dashboard
-
Select your project (or create one)
-
Navigate to Settings → Enforce
-
Click Add Gateway
-
Enter the domain or subdomain to protect:
- For subdomains:
shop.example.com,api.example.com - For apex domains:
example.com
- For subdomains:
-
Click Create Gateway
The dashboard will generate the DNS records you need.
Copy the DNS Configuration
After creating the gateway, you'll see the required DNS configuration:
For subdomains (most common):
Type: CNAME
Name: shop (or your subdomain)
Value: detect.checkpoint-gateway.ai
TTL: Auto (or 300)For apex/root domains:
If your DNS provider supports CNAME flattening (Cloudflare, Route 53, Netlify):
Type: CNAME
Name: @ (or leave blank)
Value: detect.checkpoint-gateway.ai
TTL: AutoIf CNAME flattening isn't supported, use the A record shown in your dashboard.
Copy the exact values from your dashboard — they may include project-specific parameters.
Configure Your DNS
-
Log into Cloudflare dashboard
-
Select your domain
-
Go to DNS → Records
-
Click Add record
-
Configure:
- Type: CNAME
- Name: Your subdomain (e.g.,
shop) or@for apex - Target:
detect.checkpoint-gateway.ai - Proxy status: DNS only (gray cloud) — Important!
- TTL: Auto
-
Click Save
Important: Set the Cloudflare proxy to "DNS only" (gray cloud icon). Orange cloud (proxied) will break the Gateway.
-
Log into AWS Console
-
Go to Hosted zones
-
Select your domain
-
Click Create record
-
Configure:
- Record name: Your subdomain (e.g.,
shop) - Record type: CNAME
- Value:
detect.checkpoint-gateway.ai - TTL: 300
- Record name: Your subdomain (e.g.,
-
Click Create records
-
Log into Namecheap
-
Go to Domain List → Manage on your domain
-
Click Advanced DNS
-
Click Add New Record
-
Configure:
- Type: CNAME
- Host: Your subdomain (e.g.,
shop) or@for apex - Value:
detect.checkpoint-gateway.ai - TTL: Automatic
-
Click the checkmark to save
-
Log into GoDaddy
-
Go to My Products → DNS on your domain
-
Click Add in the Records section
-
Configure:
- Type: CNAME
- Name: Your subdomain (e.g.,
shop) or@for apex - Value:
detect.checkpoint-gateway.ai - TTL: 1 Hour
-
Click Save
Wait for Verification
Return to your Checkpoint dashboard. The Gateway status will progress through:
| Status | Meaning | Typical Time |
|---|---|---|
| Pending | DNS change not yet detected | 1-5 minutes |
| Provisioning | SSL certificate being issued | 1-3 minutes |
| Active | Gateway is live! | — |
DNS propagation can take up to 48 hours in rare cases. Most providers propagate within 5-15 minutes.
Verify DNS manually:
# Check if CNAME is set correctly
dig shop.example.com CNAME +short
# Should return: detect.checkpoint-gateway.ai
# Check if the domain resolves
curl -I https://shop.example.com
# Should return headers including x-checkpoint-* headersConfigure Enforcement Policies
Once the Gateway is active, configure how detected agents are handled:
- In your dashboard, go to Settings → Enforce → Policies
- Create a new policy or edit the default
Example: Block all AI agents
Name: Block AI Agents
Condition:
- detection_class equals "ai_agent"
Action: Block
Response:
- Status: 403
- Body: 'AI agent access is not permitted'Example: Allow verified ChatGPT, block others
Name: Verified Agents Only
Condition:
- detection_class equals "ai_agent"
- signature_verified equals false
Action: Block
Response:
- Status: 403
- Body: 'Unverified agent access denied'Example: Redirect bots to static page
Name: Redirect Bots
Condition:
- detection_class equals "bot"
- agent_name not_in ["Googlebot", "Bingbot"]
Action: Redirect
Target: https://example.com/bot-noticeTest the Gateway
Test as a human visitor:
curl -I https://shop.example.com
# Should return 200 OK with your origin's responseTest as ChatGPT:
curl -I -H "User-Agent: Mozilla/5.0 (compatible; GPTBot/1.0)" \
https://shop.example.com
# Should return 403 (if blocking AI agents)Test as Googlebot (if allowed):
curl -I -H "User-Agent: Googlebot/2.1" \
https://shop.example.com
# Should return 200 OK (if Googlebot is allowed)Check your dashboard → Analytics to see the detections logged.
Understanding Gateway Headers
The Gateway adds headers to requests forwarded to your origin:
| Header | Value | Description |
|---|---|---|
x-checkpoint-class | human, ai_agent, bot | Detection classification |
x-checkpoint-confidence | 0-100 | Confidence score |
x-checkpoint-agent-name | ChatGPT, Claude, etc. | Identified agent name |
x-checkpoint-verified | true, false | Signature verification status |
x-forwarded-for | Client IP | Original client IP |
Your origin can use these headers for additional logic:
// Express example
app.get('/api/data', (req, res) => {
const detectionClass = req.headers['x-checkpoint-class'];
if (detectionClass === 'ai_agent') {
// Return limited data for AI agents
return res.json({ data: 'limited' });
}
res.json({ data: 'full' });
});Verify It's Working
Dashboard Verification
- Go to Analytics in your dashboard
- You should see requests categorized by detection class
- Blocked requests will show in the Enforced tab
Health Endpoint
The Gateway exposes health endpoints:
# Health check
curl https://shop.example.com/__gateway/health
# Returns: { "status": "ok" }
# Readiness check
curl https://shop.example.com/__gateway/ready
# Returns: { "ready": true }
# Version info
curl https://shop.example.com/__gateway/version
# Returns: { "version": "x.x.x", "region": "..." }Troubleshooting
DNS Not Detected
| Symptom | Cause | Fix |
|---|---|---|
| Status stuck on "Pending" | DNS not propagated | Wait 15-30 minutes, then check with dig |
| Wrong CNAME target | Typo in DNS record | Verify exact value from dashboard |
| Conflicting A record | A record exists for same name | Delete the A record |
SSL Certificate Not Provisioning
- Check DNS again — Must resolve correctly before cert issuance
- Check CAA records — Remove or add Cloudflare to allowed issuers
- Cloudflare users — Ensure proxy is OFF (gray cloud)
Origin Not Reachable
- Check firewall — Allow Cloudflare IP ranges
- Check origin URL — Verify in dashboard settings
- Check HTTPS — Origin must support HTTPS
Requests Not Being Blocked
- Check policy order — Policies evaluate top-to-bottom
- Check conditions — Verify detection class matches
- Check confidence threshold — Low-confidence detections may not match
What You Learned
- How to create and configure a Checkpoint Gateway
- How to update DNS records for different providers
- How to configure enforcement policies
- How to test Gateway functionality
- How to use Gateway headers in your origin
Next Steps
| Goal | Next Cookbook |
|---|---|
| Fine-tune policies | Policy Configuration |
| Code-level enforcement | Middleware Enforcement |
| Monitor traffic | Dashboard Analytics |
| Authorize agents | Govern Overview |