Checkpoint Docs
Cookbooks

Enforce: Gateway Setup

Block AI agents at the edge with zero code changes using DNS-based enforcement

Goal

Set up Checkpoint Gateway to enforce AI agent policies at the DNS/edge level — no code changes required. By the end of this cookbook, you'll have:

  • Traffic routing through Checkpoint's edge network
  • WASM-based detection running on every request
  • Automatic SSL/TLS certificate provisioning
  • Policy enforcement (block, redirect, challenge) for detected agents

Best for: Protecting any website or API without touching application code. Works with any origin server.

Prerequisites

  • A Checkpoint account with a project created
  • A domain or subdomain you control
  • Access to your domain's DNS settings

Time Estimate

10-15 minutes (plus DNS propagation time)


Steps

Create a Gateway in the Dashboard

  1. Log into your Checkpoint dashboard

  2. Select your project (or create one)

  3. In the dashboard, add a Gateway for your domain

  4. Enter the domain or subdomain to protect:

    • For subdomains: shop.example.com, api.example.com
    • For apex domains: example.com
  5. Create the Gateway

The dashboard will generate the DNS records you need.

Copy the DNS Configuration

After creating the gateway, you'll see the required DNS configuration:

For subdomains (most common):

Type:  CNAME
Name:  shop (or your subdomain)
Value: cname.checkpoint-gateway.ai
TTL:   Auto (or 300)

For apex/root domains:

If your DNS provider supports CNAME flattening (Cloudflare, Route 53, Netlify):

Type:  CNAME
Name:  @ (or leave blank)
Value: cname.checkpoint-gateway.ai
TTL:   Auto

If CNAME flattening isn't supported, use the A record shown in your dashboard.

Copy the exact values from your dashboard — they may include project-specific parameters.

Configure Your DNS

  1. Log into Cloudflare dashboard

  2. Select your domain

  3. Go to DNS → Records

  4. Click Add record

  5. Configure:

    • Type: CNAME
    • Name: Your subdomain (e.g., shop) or @ for apex
    • Target: cname.checkpoint-gateway.ai
    • Proxy status: DNS only (gray cloud) — Important!
    • TTL: Auto
  6. Click Save

Important: Set the Cloudflare proxy to "DNS only" (gray cloud icon). Orange cloud (proxied) will break the Gateway.

  1. Log into AWS Console

  2. Go to Hosted zones

  3. Select your domain

  4. Click Create record

  5. Configure:

    • Record name: Your subdomain (e.g., shop)
    • Record type: CNAME
    • Value: cname.checkpoint-gateway.ai
    • TTL: 300
  6. Click Create records

  1. Log into Namecheap

  2. Go to Domain ListManage on your domain

  3. Click Advanced DNS

  4. Click Add New Record

  5. Configure:

    • Type: CNAME
    • Host: Your subdomain (e.g., shop) or @ for apex
    • Value: cname.checkpoint-gateway.ai
    • TTL: Automatic
  6. Click the checkmark to save

  1. Log into GoDaddy

  2. Go to My ProductsDNS on your domain

  3. Click Add in the Records section

  4. Configure:

    • Type: CNAME
    • Name: Your subdomain (e.g., shop) or @ for apex
    • Value: cname.checkpoint-gateway.ai
    • TTL: 1 Hour
  5. Click Save

Wait for Verification

Return to your Checkpoint dashboard. The Gateway status will progress through:

StatusMeaningTypical Time
PendingDNS change not yet detected1-5 minutes
DNS PendingDNS detected, confirmingseconds
SSL PendingSSL certificate being issued1-3 minutes
ActiveGateway is live!

DNS propagation can take up to 48 hours in rare cases. Most providers propagate within 5-15 minutes.

Verify DNS manually:

# Check if CNAME is set correctly
dig shop.example.com CNAME +short
# Should return: cname.checkpoint-gateway.ai

# Check if the domain resolves
curl -I https://shop.example.com
# Should return headers including the KYA-* detection headers (e.g. KYA-Detected, KYA-Detection-Class)

Configure Enforcement Policies

Once the Gateway is active, author how detected agents are handled in Compose (Policy → Compose, /policy/compose). Describe a rule in plain language, review the Cedar it compiles to, Run dry test, then Authorize & deploy.

Example: block a scraper on your pricing page ("Block GPTBot on /pricing"):

@id("block-scraper-on-pricing")
@verdict("BLOCK")
forbid ( principal, action, resource )
when { resource.path like "/pricing*" && principal.name == "GPTBot" };

Example: redirect scrapers to an AI portal ("Send scrapers to /for-ai"):

@id("redirect-scrapers")
@verdict("REDIRECT")
@redirect("/for-ai")
forbid ( principal, action, resource )
when { principal.category == "scraper" };

See the policy cookbook for the full authoring walkthrough and more patterns.

Test the Gateway

Test as a human visitor:

curl -I https://shop.example.com
# Should return 200 OK with your origin's response

Test as ChatGPT:

curl -I -H "User-Agent: Mozilla/5.0 (compatible; GPTBot/1.0)" \
  https://shop.example.com
# Should return 403 (if blocking AI agents)

Test as Googlebot (if allowed):

curl -I -H "User-Agent: Googlebot/2.1" \
  https://shop.example.com
# Should return 200 OK (if Googlebot is allowed)

Check your dashboard → Analytics to see the detections logged.


Understanding Gateway Headers

The Gateway works with two distinct sets of headers.

Detection headers returned to the client

On every proxied response, the Gateway sets KYA-* headers describing the detection result. These are visible on the response you get back (e.g. via curl -I):

HeaderValueDescription
KYA-Detectedtrue, falseWhether the request is interactive AI-agent traffic
KYA-Detection-Classhuman, ai_agent, bot, incomplete_dataDetection classification
KYA-Confidence0100Confidence score
KYA-AgentChatGPT, Claude, GPTBot, etc.Identified agent name (when known)
KYA-Verificationdid, mcp-i, pattern, none, errorHow the agent was verified (signature vs. UA pattern)
KYA-Actionallow, block, redirect, challenge, logEnforcement action applied
KYA-Is-AI-CrawlertruePresent only for AI training crawlers (e.g. GPTBot, ClaudeBot)

KYA-Is-AI-Crawler is only emitted when true — treat its absence as "not a known AI crawler". Note that training crawlers report KYA-Detected: false (they are class bot, not ai_agent) even though KYA-Agent is populated.

Headers forwarded to your origin

Separately, the Gateway adds tracing/context headers to the request it forwards to your origin server:

HeaderValueDescription
KYA-Request-IdUUIDRequest trace ID
KYA-RegionCloudflare colo (e.g. SFO)Edge location that served the request
KYA-Original-Originhttps://shop.example.comThe public hostname the visitor requested
KYA-Project-IdProject IDYour Checkpoint project
X-Forwarded-HostOriginal hostStandard forwarded host
X-Forwarded-ProtohttpsStandard forwarded protocol

The Gateway does not emit any checkpoint-prefixed headers. Read detection results from the KYA-* response headers above, or from the dashboard and analytics APIs.

Your origin can inspect the forwarded context headers, and clients can read the KYA-* detection headers off the response:

// Express example — reading a forwarded context header at the origin
app.get('/api/data', (req, res) => {
  const requestId = req.headers['kya-request-id'];
  const region = req.headers['kya-region'];

  // Detection results are attached to the response the Gateway returns to the
  // client (KYA-Detected, KYA-Detection-Class, etc.), not to the origin request.
  res.set('X-Trace-Id', String(requestId ?? ''));
  res.json({ data: 'full', region });
});

Verify It's Working

Dashboard Verification

  1. Go to Analytics in your dashboard
  2. You should see requests categorized by detection class
  3. Blocked requests will show in the Enforced tab

Health Endpoint

The Gateway exposes health endpoints:

# Health check
curl https://shop.example.com/__gateway/health
# Returns: { "status": "healthy", "version": "1.0.0", "timestamp": "...", "region": "SFO", "environment": "production" }

# Readiness check
curl https://shop.example.com/__gateway/ready
# Returns: { "ready": true }   (or 503 { "ready": false, "error": "..." })

# Version info
curl https://shop.example.com/__gateway/version
# Returns: { "version": "1.0.0", "environment": "production" }

See Monitoring for the full field reference and the separate /__detect/health endpoint that reports WASM engine status.


Troubleshooting

DNS Not Detected

SymptomCauseFix
Status stuck on "Pending"DNS not propagatedWait 15-30 minutes, then check with dig
Wrong CNAME targetTypo in DNS recordVerify exact value from dashboard
Conflicting A recordA record exists for same nameDelete the A record

SSL Certificate Not Provisioning

  • Check DNS again — Must resolve correctly before cert issuance
  • Check CAA records — Remove or add Cloudflare to allowed issuers
  • Cloudflare users — Ensure proxy is OFF (gray cloud)

Origin Not Reachable

  • Check firewall — Allow Cloudflare IP ranges
  • Check origin URL — Verify in dashboard settings
  • Check HTTPS — Origin must support HTTPS

Requests Not Being Blocked

  • Deployed, not just drafted — make sure you clicked Authorize & deploy, not just "Save as draft"
  • Give the cache a minute — the gateway refreshes the deployed policy within ~60s
  • Dry-run it — use Run dry test to see which rule matched and why

What You Learned

  • How to create and configure a Checkpoint Gateway
  • How to update DNS records for different providers
  • How to configure enforcement policies
  • How to test Gateway functionality
  • How to read the KYA-* detection headers and origin-forwarded context headers

Next Steps

GoalNext Cookbook
Fine-tune policiesPolicy Configuration
Code-level enforcementMiddleware Enforcement
Monitor trafficDashboard Analytics
Authorize agentsGovern Overview