Checkpoint Docs
Enforce

Monitoring

Monitor Gateway and Middleware health, performance, and detection metrics

Overview

Checkpoint provides health endpoints and dashboard monitoring for your Gateway and Middleware deployments. Use these to verify your integration is working, track performance, and troubleshoot issues.

Gateway Health Endpoints

The Gateway exposes three health endpoints for monitoring and orchestration:

Health Check

GET /__gateway/health

Returns the Gateway's operational status:

{
  "status": "healthy",
  "version": "1.0.0",
  "timestamp": "2026-02-01T12:00:00Z",
  "region": "SFO",
  "environment": "production"
}
FieldDescription
statusAlways healthy when the endpoint responds 200
versionGateway build version (static, from config)
timestampCurrent UTC timestamp
regionCloudflare edge location serving the request
environmentDeployment environment (e.g. production)

/__gateway/health reports the edge worker's own liveness — it does not carry WASM detection state. To check the detection engine, use the separate /__detect/health endpoint, which returns { "status": "healthy", "wasmVersion", "wasmInitialized": true, "environment", "timestamp" } (and 503 with status: "degraded" / "unhealthy" when the engine is faulting or failed to initialize).

Readiness Probe

GET /__gateway/ready

Kubernetes-style readiness probe. Returns 200 with { "ready": true } when the Gateway can reach its routing store, or 503 with { "ready": false, "error": "KV namespace unavailable" } otherwise. Use this for load balancer health checks.

Version Info

GET /__gateway/version

Returns version and environment information:

{
  "version": "1.0.0",
  "environment": "production"
}

version is a static build value from the worker's configuration — it is not derived per-request, so /__gateway/version returns neither region nor timestamp.

Health endpoints are always accessible, even when enforcement policies would otherwise block the request. They use the /__gateway/ prefix which is reserved for internal operations.

Dashboard Monitoring

Gateway Status

The Enforce settings page shows real-time status for each Gateway domain:

The status maps to the underlying provisioning state machine (pending → dns_pending → ssl_pending → active, plus inactive and error):

StatusIndicatorMeaning
PendingYellowGateway created; DNS record not yet detected
DNS PendingYellowDNS record detected, awaiting confirmation
SSL PendingYellowSSL certificate being provisioned
ActiveGreenGateway operational, traffic flowing
InactiveGrayEnforcement disabled for this domain
ErrorRedConfiguration error — check details

Detection Metrics

View detection activity in the Monitor and Analyze tabs:

  • Real-time feed — Live detection events as they happen
  • Detection rate — Percentage of traffic classified as agents/bots
  • Classification breakdown — Distribution across detection classes
  • Confidence distribution — Histogram of confidence scores
  • Top agents — Most frequently detected agent types

See Analytics & Reporting for detailed analytics.

Uptime Monitoring

For production deployments, configure external uptime monitoring against the health endpoints:

# Check Gateway health
curl -s https://shop.example.com/__gateway/health | jq .status
# Expected: "healthy"

# Check readiness
curl -s -o /dev/null -w "%{http_code}" https://shop.example.com/__gateway/ready
# Expected: 200
CheckEndpointIntervalAlert On
Health/__gateway/health1 minuteHTTP status != 200
Readiness/__gateway/ready30 secondsHTTP status != 200
WASM status/__detect/health5 minuteswasmInitialized != true

Troubleshooting

Gateway Shows "Pending"

The DNS record hasn't been detected yet.

  • Verify your DNS record points to cname.checkpoint-gateway.ai
  • Check for typos in the record name or value
  • Wait for DNS propagation (check with dig or nslookup)
dig shop.example.com CNAME +short

Gateway Shows "Error"

Common causes:

  • DNS misconfiguration — Conflicting records for the same domain
  • Origin unreachable — Your origin server is down or blocking Cloudflare IPs
  • SSL issue — CAA records preventing certificate issuance

WASM Not Initialized

The WASM detection module failed to load.

  • Check the /__detect/health endpoint — wasmInitialized: true means the engine is up; a 503 with status: "degraded" or "unhealthy" indicates a faulting or failed engine
  • This typically resolves on its own as Cloudflare retries initialization
  • If persistent, contact support

High Latency

Detection latency should be under 5ms (p95) for the Gateway.

  • Check if signature verification is adding latency (key fetch not cached)
  • Review the Cloudflare region serving your traffic
  • Ensure your origin server responds quickly (Gateway latency includes origin response time)

Detection Not Appearing in Dashboard

  • Verify your project ID matches the Gateway configuration
  • Check that the Gateway status is Active
  • Look for errors in the Monitor tab
  • Confirm the request is going through the Gateway (not bypassing DNS)

Next Steps