Monitoring
Monitor Gateway and Middleware health, performance, and detection metrics
Overview
Checkpoint provides health endpoints and dashboard monitoring for your Gateway and Middleware deployments. Use these to verify your integration is working, track performance, and troubleshoot issues.
Gateway Health Endpoints
The Gateway exposes three health endpoints for monitoring and orchestration:
Health Check
GET /__gateway/healthReturns the Gateway's operational status:
{
"status": "healthy",
"version": "1.0.0",
"timestamp": "2026-02-01T12:00:00Z",
"region": "SFO",
"environment": "production"
}| Field | Description |
|---|---|
status | Always healthy when the endpoint responds 200 |
version | Gateway build version (static, from config) |
timestamp | Current UTC timestamp |
region | Cloudflare edge location serving the request |
environment | Deployment environment (e.g. production) |
/__gateway/health reports the edge worker's own liveness — it does not carry WASM detection
state. To check the detection engine, use the separate /__detect/health endpoint, which returns
{ "status": "healthy", "wasmVersion", "wasmInitialized": true, "environment", "timestamp" } (and
503 with status: "degraded" / "unhealthy" when the engine is faulting or failed to
initialize).
Readiness Probe
GET /__gateway/readyKubernetes-style readiness probe. Returns 200 with { "ready": true } when the Gateway can reach its routing store, or 503 with { "ready": false, "error": "KV namespace unavailable" } otherwise. Use this for load balancer health checks.
Version Info
GET /__gateway/versionReturns version and environment information:
{
"version": "1.0.0",
"environment": "production"
}version is a static build value from the worker's configuration — it is not derived per-request,
so /__gateway/version returns neither region nor timestamp.
Health endpoints are always accessible, even when enforcement policies would otherwise block the
request. They use the /__gateway/ prefix which is reserved for internal operations.
Dashboard Monitoring
Gateway Status
The Enforce settings page shows real-time status for each Gateway domain:
The status maps to the underlying provisioning state machine (pending → dns_pending → ssl_pending → active, plus inactive and error):
| Status | Indicator | Meaning |
|---|---|---|
| Pending | Yellow | Gateway created; DNS record not yet detected |
| DNS Pending | Yellow | DNS record detected, awaiting confirmation |
| SSL Pending | Yellow | SSL certificate being provisioned |
| Active | Green | Gateway operational, traffic flowing |
| Inactive | Gray | Enforcement disabled for this domain |
| Error | Red | Configuration error — check details |
Detection Metrics
View detection activity in the Monitor and Analyze tabs:
- Real-time feed — Live detection events as they happen
- Detection rate — Percentage of traffic classified as agents/bots
- Classification breakdown — Distribution across detection classes
- Confidence distribution — Histogram of confidence scores
- Top agents — Most frequently detected agent types
See Analytics & Reporting for detailed analytics.
Uptime Monitoring
For production deployments, configure external uptime monitoring against the health endpoints:
# Check Gateway health
curl -s https://shop.example.com/__gateway/health | jq .status
# Expected: "healthy"
# Check readiness
curl -s -o /dev/null -w "%{http_code}" https://shop.example.com/__gateway/ready
# Expected: 200Recommended Checks
| Check | Endpoint | Interval | Alert On |
|---|---|---|---|
| Health | /__gateway/health | 1 minute | HTTP status != 200 |
| Readiness | /__gateway/ready | 30 seconds | HTTP status != 200 |
| WASM status | /__detect/health | 5 minutes | wasmInitialized != true |
Troubleshooting
Gateway Shows "Pending"
The DNS record hasn't been detected yet.
- Verify your DNS record points to
cname.checkpoint-gateway.ai - Check for typos in the record name or value
- Wait for DNS propagation (check with
digornslookup)
dig shop.example.com CNAME +shortGateway Shows "Error"
Common causes:
- DNS misconfiguration — Conflicting records for the same domain
- Origin unreachable — Your origin server is down or blocking Cloudflare IPs
- SSL issue — CAA records preventing certificate issuance
WASM Not Initialized
The WASM detection module failed to load.
- Check the
/__detect/healthendpoint —wasmInitialized: truemeans the engine is up; a503withstatus: "degraded"or"unhealthy"indicates a faulting or failed engine - This typically resolves on its own as Cloudflare retries initialization
- If persistent, contact support
High Latency
Detection latency should be under 5ms (p95) for the Gateway.
- Check if signature verification is adding latency (key fetch not cached)
- Review the Cloudflare region serving your traffic
- Ensure your origin server responds quickly (Gateway latency includes origin response time)
Detection Not Appearing in Dashboard
- Verify your project ID matches the Gateway configuration
- Check that the Gateway status is Active
- Look for errors in the Monitor tab
- Confirm the request is going through the Gateway (not bypassing DNS)
Next Steps
- Gateway Enforcement — Setup and DNS configuration
- Policies — Configure enforcement rules
- Dashboard Analytics — Detailed detection analytics