Gateway Enforcement

What is Gateway Enforcement?

The Checkpoint Gateway is a DNS-based enforcement layer that runs at the Cloudflare edge. By adding a DNS record that points your domain to the Gateway, all traffic passes through Checkpoint's WASM detection engine before reaching your origin server. No code changes are required.

User → DNS → Checkpoint Gateway → WASM Detection → Policy Enforcement → Your Origin
                                                          ↓
                                                    Dashboard Analytics

Prerequisites

• A Checkpoint project (create one in the dashboard)
• Access to your domain's DNS settings
• A domain or subdomain to protect

Setup

1. Add a Gateway in the Dashboard

1. Navigate to Project Settings → Enforce
2. Click Add Gateway
3. Enter the domain or subdomain you want to protect
4. Checkpoint generates the DNS records you need to add

2. Configure DNS

Add the DNS record shown in the dashboard. The record type depends on your domain:

Subdomains (CNAME)

For subdomains like shop.example.com or api.example.com:

Type:  CNAME
Name:  shop
Value: detect.checkpoint-gateway.ai
TTL:   Auto

Apex Domains

For root domains like example.com, use one of these approaches depending on your DNS provider:

CNAME flattening (Cloudflare, Route 53, Netlify DNS):

Type:  CNAME
Name:  @
Value: detect.checkpoint-gateway.ai
TTL:   Auto

A record (providers that don't support CNAME flattening):

Type:  A
Name:  @
Value: <IP address from dashboard>
TTL:   Auto

3. Wait for Verification

After adding the DNS record:

1. Checkpoint detects the DNS change (usually within 1–5 minutes)
2. SSL/TLS certificate is provisioned automatically
3. The Gateway status in the dashboard changes to Active

4. Configure Policies

Once the Gateway is active, configure policies to determine how detected agents are handled.

How It Works

Request Flow

1. A visitor's browser sends a request to your domain
2. DNS resolves to the Checkpoint Gateway
3. The Gateway extracts request metadata (headers, IP, TLS fingerprint, user agent)
4. The WASM detection engine classifies the request
5. If signature headers are present, Ed25519 verification runs
6. The configured policy is applied
7. If allowed, the request is proxied to your origin
8. The detection is logged to the dashboard

Edge Detection

The Gateway uses a WebAssembly detection module that runs at Cloudflare's edge network, providing:

• Sub-5ms detection latency (p95)
• 300+ edge locations worldwide
• No impact on origin server performance
• TLS fingerprint analysis (JA3/JA4)

SSL/TLS

Checkpoint provisions and manages TLS certificates automatically for your Gateway domains. Certificates are issued by Cloudflare and renewed before expiration.

Custom Domains

You can add multiple domains or subdomains to a single project. Each domain gets its own DNS record and independent Gateway instance.

Common setups:

Dashboard Monitoring

The Enforce settings page shows real-time Gateway status:

See Monitoring for health endpoints and troubleshooting.

Troubleshooting

DNS Record Not Detected

• Verify the CNAME target is exactly detect.checkpoint-gateway.ai (as shown in the dashboard)
• Check for typos in the record name or value
• Ensure no conflicting A records exist for the same name
• Wait for DNS propagation (use dig or nslookup to check)

dig shop.example.com CNAME +short
# Should return: detect.checkpoint-gateway.ai

SSL Certificate Not Provisioning

• Ensure the DNS record is correctly pointing to the Gateway
• Check that no CAA records block certificate issuance
• If using Cloudflare DNS, ensure the proxy is disabled (DNS-only / grey cloud)

Origin Not Reachable

• Verify your origin server is accessible from the public internet
• Check that your origin accepts traffic from Cloudflare IP ranges
• Ensure no firewall rules are blocking the Gateway

Next Steps

• Policies — Configure what happens when agents are detected
• Detection in Enforce Mode — How the Gateway detects agents
• Monitoring — Health endpoints and status checks