Gateway Enforcement
DNS-based enforcement at the Cloudflare edge with zero-code setup
What is Gateway Enforcement?
The Checkpoint Gateway is a DNS-based enforcement layer that runs at the Cloudflare edge. By adding a DNS record that points your domain to the Gateway, all traffic passes through Checkpoint's WASM detection engine before reaching your origin server. No code changes are required.
User → DNS → Checkpoint Gateway → WASM Detection → Policy Enforcement → Your Origin
↓
Dashboard AnalyticsThis page covers the edge Gateway — the Cloudflare-edge, DNS-based layer that inspects and enforces on inbound web traffic to your own domains. It is a different system from the organization's MCP Gateway (the "Agentic Hub"), which authorizes agent tool calls to MCP servers. For that, see Govern.
Prerequisites
- A Checkpoint project (create one in the dashboard)
- Access to your domain's DNS settings
- A domain or subdomain to protect
Setup
1. Add a Gateway in the Dashboard
- In the dashboard, add a Gateway for the domain you want to protect
- Enter the domain or subdomain to protect
- Checkpoint generates the DNS records you need to add
2. Configure DNS
Add the DNS record shown in the dashboard. The record type depends on your domain:
Subdomains (CNAME)
For subdomains like shop.example.com or api.example.com:
Type: CNAME
Name: shop
Value: cname.checkpoint-gateway.ai
TTL: AutoApex Domains
For root domains like example.com, use one of these approaches depending on your DNS provider:
CNAME flattening (Cloudflare, Route 53, Netlify DNS):
Type: CNAME
Name: @
Value: cname.checkpoint-gateway.ai
TTL: AutoA record (providers that don't support CNAME flattening):
Type: A
Name: @
Value: <IP address from dashboard>
TTL: AutoMost modern DNS providers support CNAME flattening at the apex. Check with your provider if you're unsure.
If your apex already serves a live site from a hosting provider (Vercel, Netlify, DreamHost, WordPress, etc.), CNAMing it to the Gateway will take the site offline unless you also configure an origin sidecar. See Gateway + Origin Sidecar.
3. Wait for Verification
After adding the DNS record:
- Checkpoint detects the DNS change (usually within 1–5 minutes)
- SSL/TLS certificate is provisioned automatically
- The Gateway status in the dashboard changes to Active
DNS propagation can take up to 48 hours in some cases, though most providers propagate within minutes. If verification hasn't completed after 30 minutes, check your DNS configuration.
4. Configure Policies
Once the Gateway is active, configure policies to determine how detected agents are handled.
How It Works
Request Flow
- A visitor's browser sends a request to your domain
- DNS resolves to the Checkpoint Gateway
- The Gateway extracts request metadata (headers, IP, TLS fingerprint, user agent)
- The WASM detection engine classifies the request
- If signature headers are present, Ed25519 verification runs
- The configured policy is applied
- If allowed, the request is proxied to your origin
- The detection is logged to the dashboard
Edge Detection
The Gateway uses a WebAssembly detection module that runs at Cloudflare's edge network, providing:
- Sub-5ms detection latency (p95)
- 300+ edge locations worldwide
- No impact on origin server performance
- TLS fingerprint capture — the edge computes a custom cipher-suite and extension hash (not JA3/JA4). This fingerprint is recorded for observability but is not currently consumed by the detection engine for classification; see Detection signals
SSL/TLS
Checkpoint provisions and manages TLS certificates automatically for your Gateway domains. Certificates are issued by Cloudflare and renewed before expiration.
Custom Domains
You can add multiple domains or subdomains to a single project. Each domain gets its own DNS record and independent Gateway instance.
Common setups:
| Domain | Purpose |
|---|---|
www.example.com | Main website |
shop.example.com | E-commerce storefront |
api.example.com | API endpoints |
Dashboard Monitoring
The Enforce settings page shows real-time Gateway status. A gateway advances through the provisioning state machine (pending → dns_pending → ssl_pending → active), and can also be inactive or error:
| Status | Meaning |
|---|---|
| Pending | Gateway created; DNS not yet detected |
| DNS Pending | DNS record detected, confirming |
| SSL Pending | SSL certificate being issued |
| Active | Gateway operational, traffic flowing |
| Inactive | Enforcement disabled for this domain |
| Error | Configuration issue (see details) |
See Monitoring for health endpoints and troubleshooting.
Troubleshooting
DNS Record Not Detected
- Verify the CNAME target is exactly
cname.checkpoint-gateway.ai(as shown in the dashboard) - Check for typos in the record name or value
- Ensure no conflicting A records exist for the same name
- Wait for DNS propagation (use
digornslookupto check)
dig shop.example.com CNAME +short
# Should return: cname.checkpoint-gateway.aiSSL Certificate Not Provisioning
- Ensure the DNS record is correctly pointing to the Gateway
- Check that no CAA records block certificate issuance
- If using Cloudflare DNS, ensure the proxy is disabled (DNS-only / grey cloud)
Origin Not Reachable
- Verify your origin server is accessible from the public internet
- Check that your origin accepts traffic from Cloudflare IP ranges
- Ensure no firewall rules are blocking the Gateway
Next Steps
- Gateway Cookbook — Step-by-step gateway setup guide
- Policies — Configure what happens when agents are detected
- Detection in Enforce Mode — How the Gateway detects agents
- Monitoring — Health endpoints and status checks