Enforce: Gateway Setup
Block AI agents at the edge with zero code changes using DNS-based enforcement
Goal
Set up Checkpoint Gateway to enforce AI agent policies at the DNS/edge level — no code changes required. By the end of this cookbook, you'll have:
- Traffic routing through Checkpoint's edge network
- WASM-based detection running on every request
- Automatic SSL/TLS certificate provisioning
- Policy enforcement (block, redirect, challenge) for detected agents
Best for: Protecting any website or API without touching application code. Works with any origin server.
Prerequisites
- A Checkpoint account with a project created
- A domain or subdomain you control
- Access to your domain's DNS settings
Time Estimate
10-15 minutes (plus DNS propagation time)
Steps
Create a Gateway in the Dashboard
-
Log into your Checkpoint dashboard
-
Select your project (or create one)
-
In the dashboard, add a Gateway for your domain
-
Enter the domain or subdomain to protect:
- For subdomains:
shop.example.com,api.example.com - For apex domains:
example.com
- For subdomains:
-
Create the Gateway
The dashboard will generate the DNS records you need.
Copy the DNS Configuration
After creating the gateway, you'll see the required DNS configuration:
For subdomains (most common):
Type: CNAME
Name: shop (or your subdomain)
Value: cname.checkpoint-gateway.ai
TTL: Auto (or 300)For apex/root domains:
If your DNS provider supports CNAME flattening (Cloudflare, Route 53, Netlify):
Type: CNAME
Name: @ (or leave blank)
Value: cname.checkpoint-gateway.ai
TTL: AutoIf CNAME flattening isn't supported, use the A record shown in your dashboard.
Copy the exact values from your dashboard — they may include project-specific parameters.
Configure Your DNS
-
Log into Cloudflare dashboard
-
Select your domain
-
Go to DNS → Records
-
Click Add record
-
Configure:
- Type: CNAME
- Name: Your subdomain (e.g.,
shop) or@for apex - Target:
cname.checkpoint-gateway.ai - Proxy status: DNS only (gray cloud) — Important!
- TTL: Auto
-
Click Save
Important: Set the Cloudflare proxy to "DNS only" (gray cloud icon). Orange cloud (proxied) will break the Gateway.
-
Log into AWS Console
-
Go to Hosted zones
-
Select your domain
-
Click Create record
-
Configure:
- Record name: Your subdomain (e.g.,
shop) - Record type: CNAME
- Value:
cname.checkpoint-gateway.ai - TTL: 300
- Record name: Your subdomain (e.g.,
-
Click Create records
-
Log into Namecheap
-
Go to Domain List → Manage on your domain
-
Click Advanced DNS
-
Click Add New Record
-
Configure:
- Type: CNAME
- Host: Your subdomain (e.g.,
shop) or@for apex - Value:
cname.checkpoint-gateway.ai - TTL: Automatic
-
Click the checkmark to save
-
Log into GoDaddy
-
Go to My Products → DNS on your domain
-
Click Add in the Records section
-
Configure:
- Type: CNAME
- Name: Your subdomain (e.g.,
shop) or@for apex - Value:
cname.checkpoint-gateway.ai - TTL: 1 Hour
-
Click Save
Wait for Verification
Return to your Checkpoint dashboard. The Gateway status will progress through:
| Status | Meaning | Typical Time |
|---|---|---|
| Pending | DNS change not yet detected | 1-5 minutes |
| DNS Pending | DNS detected, confirming | seconds |
| SSL Pending | SSL certificate being issued | 1-3 minutes |
| Active | Gateway is live! | — |
DNS propagation can take up to 48 hours in rare cases. Most providers propagate within 5-15 minutes.
Verify DNS manually:
# Check if CNAME is set correctly
dig shop.example.com CNAME +short
# Should return: cname.checkpoint-gateway.ai
# Check if the domain resolves
curl -I https://shop.example.com
# Should return headers including the KYA-* detection headers (e.g. KYA-Detected, KYA-Detection-Class)Configure Enforcement Policies
Once the Gateway is active, author how detected agents are handled in Compose (Policy → Compose, /policy/compose). Describe a rule in plain language, review the Cedar it compiles to, Run dry test, then Authorize & deploy.
Example: block a scraper on your pricing page ("Block GPTBot on /pricing"):
@id("block-scraper-on-pricing")
@verdict("BLOCK")
forbid ( principal, action, resource )
when { resource.path like "/pricing*" && principal.name == "GPTBot" };Example: redirect scrapers to an AI portal ("Send scrapers to /for-ai"):
@id("redirect-scrapers")
@verdict("REDIRECT")
@redirect("/for-ai")
forbid ( principal, action, resource )
when { principal.category == "scraper" };See the policy cookbook for the full authoring walkthrough and more patterns.
Test the Gateway
Test as a human visitor:
curl -I https://shop.example.com
# Should return 200 OK with your origin's responseTest as ChatGPT:
curl -I -H "User-Agent: Mozilla/5.0 (compatible; GPTBot/1.0)" \
https://shop.example.com
# Should return 403 (if blocking AI agents)Test as Googlebot (if allowed):
curl -I -H "User-Agent: Googlebot/2.1" \
https://shop.example.com
# Should return 200 OK (if Googlebot is allowed)Check your dashboard → Analytics to see the detections logged.
Understanding Gateway Headers
The Gateway works with two distinct sets of headers.
Detection headers returned to the client
On every proxied response, the Gateway sets KYA-* headers describing the detection result. These are visible on the response you get back (e.g. via curl -I):
| Header | Value | Description |
|---|---|---|
KYA-Detected | true, false | Whether the request is interactive AI-agent traffic |
KYA-Detection-Class | human, ai_agent, bot, incomplete_data | Detection classification |
KYA-Confidence | 0–100 | Confidence score |
KYA-Agent | ChatGPT, Claude, GPTBot, etc. | Identified agent name (when known) |
KYA-Verification | did, mcp-i, pattern, none, error | How the agent was verified (signature vs. UA pattern) |
KYA-Action | allow, block, redirect, challenge, log | Enforcement action applied |
KYA-Is-AI-Crawler | true | Present only for AI training crawlers (e.g. GPTBot, ClaudeBot) |
KYA-Is-AI-Crawler is only emitted when true — treat its absence as "not a known AI crawler".
Note that training crawlers report KYA-Detected: false (they are class bot, not ai_agent)
even though KYA-Agent is populated.
Headers forwarded to your origin
Separately, the Gateway adds tracing/context headers to the request it forwards to your origin server:
| Header | Value | Description |
|---|---|---|
KYA-Request-Id | UUID | Request trace ID |
KYA-Region | Cloudflare colo (e.g. SFO) | Edge location that served the request |
KYA-Original-Origin | https://shop.example.com | The public hostname the visitor requested |
KYA-Project-Id | Project ID | Your Checkpoint project |
X-Forwarded-Host | Original host | Standard forwarded host |
X-Forwarded-Proto | https | Standard forwarded protocol |
The Gateway does not emit any checkpoint-prefixed headers. Read detection results from the
KYA-* response headers above, or from the dashboard and analytics APIs.
Your origin can inspect the forwarded context headers, and clients can read the KYA-* detection headers off the response:
// Express example — reading a forwarded context header at the origin
app.get('/api/data', (req, res) => {
const requestId = req.headers['kya-request-id'];
const region = req.headers['kya-region'];
// Detection results are attached to the response the Gateway returns to the
// client (KYA-Detected, KYA-Detection-Class, etc.), not to the origin request.
res.set('X-Trace-Id', String(requestId ?? ''));
res.json({ data: 'full', region });
});Verify It's Working
Dashboard Verification
- Go to Analytics in your dashboard
- You should see requests categorized by detection class
- Blocked requests will show in the Enforced tab
Health Endpoint
The Gateway exposes health endpoints:
# Health check
curl https://shop.example.com/__gateway/health
# Returns: { "status": "healthy", "version": "1.0.0", "timestamp": "...", "region": "SFO", "environment": "production" }
# Readiness check
curl https://shop.example.com/__gateway/ready
# Returns: { "ready": true } (or 503 { "ready": false, "error": "..." })
# Version info
curl https://shop.example.com/__gateway/version
# Returns: { "version": "1.0.0", "environment": "production" }See Monitoring for the full field reference and the separate
/__detect/health endpoint that reports WASM engine status.
Troubleshooting
DNS Not Detected
| Symptom | Cause | Fix |
|---|---|---|
| Status stuck on "Pending" | DNS not propagated | Wait 15-30 minutes, then check with dig |
| Wrong CNAME target | Typo in DNS record | Verify exact value from dashboard |
| Conflicting A record | A record exists for same name | Delete the A record |
SSL Certificate Not Provisioning
- Check DNS again — Must resolve correctly before cert issuance
- Check CAA records — Remove or add Cloudflare to allowed issuers
- Cloudflare users — Ensure proxy is OFF (gray cloud)
Origin Not Reachable
- Check firewall — Allow Cloudflare IP ranges
- Check origin URL — Verify in dashboard settings
- Check HTTPS — Origin must support HTTPS
Requests Not Being Blocked
- Deployed, not just drafted — make sure you clicked Authorize & deploy, not just "Save as draft"
- Give the cache a minute — the gateway refreshes the deployed policy within ~60s
- Dry-run it — use Run dry test to see which rule matched and why
What You Learned
- How to create and configure a Checkpoint Gateway
- How to update DNS records for different providers
- How to configure enforcement policies
- How to test Gateway functionality
- How to read the
KYA-*detection headers and origin-forwarded context headers
Next Steps
| Goal | Next Cookbook |
|---|---|
| Fine-tune policies | Policy Configuration |
| Code-level enforcement | Middleware Enforcement |
| Monitor traffic | Dashboard Analytics |
| Authorize agents | Govern Overview |