Monitoring
Monitor Gateway and Middleware health, performance, and detection metrics
Overview
Checkpoint provides health endpoints and dashboard monitoring for your Gateway and Middleware deployments. Use these to verify your integration is working, track performance, and troubleshoot issues.
Gateway Health Endpoints
The Gateway exposes three health endpoints for monitoring and orchestration:
Health Check
GET /__gateway/healthReturns the Gateway's operational status:
{
"status": "healthy",
"wasm": "initialized",
"timestamp": "2026-02-01T12:00:00Z",
"region": "SFO"
}| Field | Description |
|---|---|
status | healthy or unhealthy |
wasm | WASM detection module state (initialized, loading, error) |
timestamp | Current UTC timestamp |
region | Cloudflare edge location serving the request |
Readiness Probe
GET /__gateway/readyKubernetes-style readiness probe. Returns 200 OK when the Gateway is ready to accept traffic, 503 Service Unavailable otherwise. Use this for load balancer health checks.
Version Info
GET /__gateway/versionReturns version and environment information:
{
"version": "1.0.0",
"environment": "production",
"region": "SFO",
"timestamp": "2026-02-01T12:00:00Z"
}Health endpoints are always accessible, even when enforcement policies would otherwise block the
request. They use the /__gateway/ prefix which is reserved for internal operations.
Dashboard Monitoring
Gateway Status
The Enforce settings page shows real-time status for each Gateway domain:
| Status | Indicator | Meaning |
|---|---|---|
| Pending | Yellow | DNS record not yet detected |
| Provisioning | Yellow | SSL certificate being provisioned |
| Active | Green | Gateway operational, traffic flowing |
| Degraded | Orange | Partial functionality (e.g., WASM loading) |
| Error | Red | Configuration error — check details |
Detection Metrics
View detection activity in the Monitor and Analyze tabs:
- Real-time feed — Live detection events as they happen
- Detection rate — Percentage of traffic classified as agents/bots
- Classification breakdown — Distribution across detection classes
- Confidence distribution — Histogram of confidence scores
- Top agents — Most frequently detected agent types
See Analytics & Reporting for detailed analytics.
Uptime Monitoring
For production deployments, configure external uptime monitoring against the health endpoints:
# Check Gateway health
curl -s https://shop.example.com/__gateway/health | jq .status
# Expected: "healthy"
# Check readiness
curl -s -o /dev/null -w "%{http_code}" https://shop.example.com/__gateway/ready
# Expected: 200Recommended Checks
| Check | Endpoint | Interval | Alert On |
|---|---|---|---|
| Health | /__gateway/health | 1 minute | status != "healthy" |
| Readiness | /__gateway/ready | 30 seconds | HTTP status != 200 |
| WASM status | /__gateway/health | 5 minutes | wasm != "initialized" |
Troubleshooting
Gateway Shows "Pending"
The DNS record hasn't been detected yet.
- Verify your DNS record points to
detect.checkpoint-gateway.ai - Check for typos in the record name or value
- Wait for DNS propagation (check with
digornslookup)
dig shop.example.com CNAME +shortGateway Shows "Error"
Common causes:
- DNS misconfiguration — Conflicting records for the same domain
- Origin unreachable — Your origin server is down or blocking Cloudflare IPs
- SSL issue — CAA records preventing certificate issuance
WASM Not Initialized
The WASM detection module failed to load.
- Check the
/__gateway/healthendpoint forwasmstatus - This typically resolves on its own as Cloudflare retries initialization
- If persistent, contact support
High Latency
Detection latency should be under 5ms (p95) for the Gateway.
- Check if signature verification is adding latency (key fetch not cached)
- Review the Cloudflare region serving your traffic
- Ensure your origin server responds quickly (Gateway latency includes origin response time)
Detection Not Appearing in Dashboard
- Verify your project ID matches the Gateway configuration
- Check that the Gateway status is Active
- Look for errors in the Monitor tab
- Confirm the request is going through the Gateway (not bypassing DNS)
Next Steps
- Gateway Enforcement — Setup and DNS configuration
- Policies — Configure enforcement rules
- Dashboard Analytics — Detailed detection analytics