Skip to main content

Check Point Email Activation Troubleshooting

Email Protection activation failures are almost always caused by one of a small set of known issues. Use this decision tree before contacting support.

Step 0: Check Point option is not appearing

If the Check Point option doesn't appear under Security Controls, or activation won't start:

  • If your MSP trial has expired, Check Point activation is blocked until a plan is assigned. Assign a plan to the MSP account, then return to Security Controls → Email Protection and activate.

  • If a plan is active and the option still doesn't show, it may be an Early Access item — request access from that screen.

Step 1: Check your browser

Run activation in Google Chrome or Microsoft Edge. Other browsers may block the session cookies required for activation. If using Chrome, try an Incognito window to prevent interference from other Google accounts signed in on the same browser.

If the 'Start Gmail' button spins and does nothing even in Incognito, check whether Google Workspace is enforcing 2FA on the cloud-sec-av service account without backup codes enabled. To fix: in Google Admin, navigate to the cloud-sec-av user and enable backup codes, then retry the activation. If activation still doesn't proceed after this, it is a known stuck state — contact Guardz Support for a backend reset rather than continuing to retry.

Step 2: Understand the error messages

The Guardz console may show an 'Activation Failed' message during the process. This is often a generic UI message that does not mean the activation has permanently failed. Here is what each status actually means:

Status shown

What it means

What to do

Initiating

The tenant has been created and is awaiting incoming emails to begin learning

Send a few real or test emails to a protected mailbox. The status will advance automatically.

Activation Failed (during Initiating)

This is a generic UI message shown while the tenant is in the starting phase. It does NOT mean activation has permanently failed.

Wait for the tenant to complete the starting phase and enter Learning Mode. The error message will clear automatically. Do not re-trigger activation.

Start Gmail / Start Microsoft 365 spinning forever

A session cookie conflict or browser issue is preventing the OAuth step from completing. For Gmail specifically, this can also be caused by Google Workspace enforcing 2FA on the cloud-sec-av service account without backup codes enabled.

Open a new Incognito/Guest window in Chrome or Edge and restart the activation. For Gmail: if still spinning after that, enable backup codes for the cloud-sec-av user in Google Admin, then retry.

Account Activation Failed — activation timed out

Activation reached a timeout, often because test emails were not received or an old tenant is blocking

See Step 3 and Step 4 below

Failed to create a Service User for the organizational unit '[domain]'. Make sure you have at least one available G-Suite license.

No unallocated Google Workspace user license was available when activation tried to create the cloud-sec-av service account.

Provision one available user license (through Google or your license provider) and retry activation. If your plan does not allow extra users, contact Guardz Support about Manual Mode activation. See Step 0.5 above.

Step 3: Activation stuck in Validating or Initiating — send test emails

The activation needs to detect real email traffic to progress. Send a few emails to a mailbox that is in the protected domain. Any email will work — it does not need to come from a specific address. After sending, wait a few minutes and check the status.

Step 4: Old Avanan tenant is blocking activation

If your organization previously had a standalone Avanan account (outside of Guardz), it may still be registered against your domain and will block a new activation. You can identify this if activation fails repeatedly even after the browser and email steps above.

A common trigger is the activation error 'email address already in use' or 'domain already registered'. Clean up the old tenant first:

For Microsoft 365:

  • In Microsoft Entra → Enterprise Applications, find and delete the Avanan application.

  • In Exchange/Purview, remove any Avanan transport rules, mail connectors, distribution groups, and journal rules.

For Google Workspace:

  • Stop the Avanan SaaS app in Google Workspace tenant settings.

  • Delete the tenant from the Avanan MSP dashboard.

Even after completing these steps, the old domain registration may still persist. If activation remains blocked, contact Guardz Support for a backend reset — do not contact Avanan directly. Support will issue a new activation email. If the Avanan portal prompts for MFA setup after the reset, configure it using the new activation email.

Step 5: Activation in Learning Mode

After the tenant is created and begins receiving email traffic, it enters Learning Mode. This phase typically lasts 3–5 days, after which the status changes to Active. High mailbox traffic speeds up the process — sending test emails to protected mailboxes can help it progress faster.

If Learning Mode persists beyond a week despite high email volume, the tenant may be stuck and require backend intervention. Contact Guardz Support — Guardz will open a ticket with Check Point Support on your behalf. After Check Point resolves the issue, the tenant re-enters Learning Mode, which can take a few hours up to 72 hours to complete.

Step 6: After successful activation — emails not appearing

If the tenant shows as activated but no emails are appearing in the Avanan portal:

  • Confirm the Avanan mail flow rules and connectors are active in Microsoft 365 or Google Workspace.

  • If you also use another email security product (e.g., Barracuda Essentials), ensure Avanan rules have higher priority in the mail routing chain. See the co-existence guide for details.

  • Add your account to the Avanan security groups in Microsoft 365 and send a test email.

  • Wait 5–10 minutes and check the Avanan portal for message visibility.

Did this answer your question?