Checkpoint Docs
Enforce

Gateway Enforcement

DNS-based enforcement at the Cloudflare edge with zero-code setup

What is Gateway Enforcement?

The Checkpoint Gateway is a DNS-based enforcement layer that runs at the Cloudflare edge. By adding a DNS record that points your domain to the Gateway, all traffic passes through Checkpoint's WASM detection engine before reaching your origin server. No code changes are required.

User → DNS → Checkpoint Gateway → WASM Detection → Policy Enforcement → Your Origin

                                                    Dashboard Analytics

This page covers the edge Gateway — the Cloudflare-edge, DNS-based layer that inspects and enforces on inbound web traffic to your own domains. It is a different system from the organization's MCP Gateway (the "Agentic Hub"), which authorizes agent tool calls to MCP servers. For that, see Govern.

Prerequisites

  • A Checkpoint project (create one in the dashboard)
  • Access to your domain's DNS settings
  • A domain or subdomain to protect

Setup

1. Add a Gateway in the Dashboard

  1. In the dashboard, add a Gateway for the domain you want to protect
  2. Enter the domain or subdomain to protect
  3. Checkpoint generates the DNS records you need to add

2. Configure DNS

Add the DNS record shown in the dashboard. The record type depends on your domain:

Subdomains (CNAME)

For subdomains like shop.example.com or api.example.com:

Type:  CNAME
Name:  shop
Value: cname.checkpoint-gateway.ai
TTL:   Auto

Apex Domains

For root domains like example.com, use one of these approaches depending on your DNS provider:

CNAME flattening (Cloudflare, Route 53, Netlify DNS):

Type:  CNAME
Name:  @
Value: cname.checkpoint-gateway.ai
TTL:   Auto

A record (providers that don't support CNAME flattening):

Type:  A
Name:  @
Value: <IP address from dashboard>
TTL:   Auto

Most modern DNS providers support CNAME flattening at the apex. Check with your provider if you're unsure.

If your apex already serves a live site from a hosting provider (Vercel, Netlify, DreamHost, WordPress, etc.), CNAMing it to the Gateway will take the site offline unless you also configure an origin sidecar. See Gateway + Origin Sidecar.

3. Wait for Verification

After adding the DNS record:

  1. Checkpoint detects the DNS change (usually within 1–5 minutes)
  2. SSL/TLS certificate is provisioned automatically
  3. The Gateway status in the dashboard changes to Active

DNS propagation can take up to 48 hours in some cases, though most providers propagate within minutes. If verification hasn't completed after 30 minutes, check your DNS configuration.

4. Configure Policies

Once the Gateway is active, configure policies to determine how detected agents are handled.

How It Works

Request Flow

  1. A visitor's browser sends a request to your domain
  2. DNS resolves to the Checkpoint Gateway
  3. The Gateway extracts request metadata (headers, IP, TLS fingerprint, user agent)
  4. The WASM detection engine classifies the request
  5. If signature headers are present, Ed25519 verification runs
  6. The configured policy is applied
  7. If allowed, the request is proxied to your origin
  8. The detection is logged to the dashboard

Edge Detection

The Gateway uses a WebAssembly detection module that runs at Cloudflare's edge network, providing:

  • Sub-5ms detection latency (p95)
  • 300+ edge locations worldwide
  • No impact on origin server performance
  • TLS fingerprint capture — the edge computes a custom cipher-suite and extension hash (not JA3/JA4). This fingerprint is recorded for observability but is not currently consumed by the detection engine for classification; see Detection signals

SSL/TLS

Checkpoint provisions and manages TLS certificates automatically for your Gateway domains. Certificates are issued by Cloudflare and renewed before expiration.

Custom Domains

You can add multiple domains or subdomains to a single project. Each domain gets its own DNS record and independent Gateway instance.

Common setups:

DomainPurpose
www.example.comMain website
shop.example.comE-commerce storefront
api.example.comAPI endpoints

Dashboard Monitoring

The Enforce settings page shows real-time Gateway status. A gateway advances through the provisioning state machine (pending → dns_pending → ssl_pending → active), and can also be inactive or error:

StatusMeaning
PendingGateway created; DNS not yet detected
DNS PendingDNS record detected, confirming
SSL PendingSSL certificate being issued
ActiveGateway operational, traffic flowing
InactiveEnforcement disabled for this domain
ErrorConfiguration issue (see details)

See Monitoring for health endpoints and troubleshooting.

Troubleshooting

DNS Record Not Detected

  • Verify the CNAME target is exactly cname.checkpoint-gateway.ai (as shown in the dashboard)
  • Check for typos in the record name or value
  • Ensure no conflicting A records exist for the same name
  • Wait for DNS propagation (use dig or nslookup to check)
dig shop.example.com CNAME +short
# Should return: cname.checkpoint-gateway.ai

SSL Certificate Not Provisioning

  • Ensure the DNS record is correctly pointing to the Gateway
  • Check that no CAA records block certificate issuance
  • If using Cloudflare DNS, ensure the proxy is disabled (DNS-only / grey cloud)

Origin Not Reachable

  • Verify your origin server is accessible from the public internet
  • Check that your origin accepts traffic from Cloudflare IP ranges
  • Ensure no firewall rules are blocking the Gateway

Next Steps