In local/tags.conf both are enabled:

[eventtype=check_point_action]
communicate = enabled
network = enabled

Checked splunk cmd to confirm the tags are being used & they are:

Splunk_TA_checkpoint-opseclea]$ splunk cmd btool tags list --debug | grep 'Splunk_TA_checkpoint-opseclea' | egrep 'communicate|network' | sort | uniq
/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/tags.conf communicate = enabled
/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/tags.conf [eventtype=opsec_communicate]
/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/tags.conf network = enabled

Here is the output for tag=network OR tag=communicate action=* | stats values(action) by sourcetype :
sourcetype values(action)
linux_secure success
opendns:dnslogs
Allowed
Blocked
Proxied
opsec:anti_malware

blocked
deferred
opsec:anti_virus deferred
opsec:smartdefense

blocked
deferred
opsec:threat_emulation deferred
opsec:vpn

blocked
dropped

It's a bit hard to make out based on the formatting, but it looks to me like whatever sources or sourcetypes that are in in the eventtype search "opsec_communicate" is what's missing here...that said it looks like your local overrides for check_point_action eventtype should work, but in any case, if you can get tag=network or tag=communicate to actually return results for action=allowed, that will fix the DM problem.

Ya, formatting is terrible, I can't upload a picture...
Here is another crack at it with the action values below the sourcetype:
sourcetype values(action)
linux_secure
success

opendns:dnslogs 
Allowed
Blocked
Proxied

opsec:anti_malware  
blocked
deferred

opsec:anti_virus
deferred

opsec:smartdefense  
blocked
deferred

opsec:threat_emulation
deferred

opsec:vpn   
blocked
dropped

For |from datamodel:"Network_Traffic" | stats count by action here are the results:

action  count
blocked 82
deferred    270
dropped 108

The TA is Splunk_TA_checkpoint-opseclea, no local transform & for props there is only this that deals with action:

FIELDALIAS-protocol_for_opsec = proto AS protocol
FIELDALIAS-opsec_action = te_action AS action vendor_action AS action

For default/props.conf here is everything with action:
Splunk_TA_checkpoint-opseclea]$ grep 'action' default/props.conf

REPORT-checkpoint_action_for_checkpoint = action_as_checkpoint_action
REPORT-action_as_threat_emulation_action = action_as_threat_emulation_action
FIELDALIAS-vendor_action = action as vendor_action
LOOKUP-action_for_opsec = checkpoint_opsec_action_lookup vendor_action OUTPUT action
REPORT-action_as_ips_action = action_as_threat_emulation_action
LOOKUP-action_for_av = te_action_lookup te_action OUTPUT action
REPORT-action_as_threat_emulation_action = action_as_threat_emulation_action
REPORT-opsec_vendor_action_field = opsec_vendor_action_field
FIELDALIAS-vendor_action = action as vendor_action
LOOKUP-action_for_opsec = checkpoint_opsec_action_lookup vendor_action OUTPUT action
REPORT-checkpoint_action_for_checkpoint = vendor_action_for_opsec
EVAL-look_up_key = case((Subject="File Operation"),"filesystem",(Operation="Create Object" OR Operation="Modify Object" OR Operation="Delete Object"),Operation,(Operation="Log In" OR Operation="Log Out" OR Operation="Force Log Out"),if(isnull(status),"Success",status),1==1,action)
LOOKUP-checkpoint_audit_action_lookup = checkpoint_audit_action_lookup look_up_key OUTPUT action,app
REPORT-action_as_threat_emulation_action = action_as_threat_emulation_action
FIELDALIAS-category_for_threat_emulation = malware_action as category
LOOKUP-action_for_te = te_action_lookup te_action OUTPUT action
REPORT-action_as_anti_bot_action = action_as_threat_emulation_action
LOOKUP-action_for_te = te_action_lookup te_action OUTPUT action
REPORT-action_as_anti_virus_action = action_as_threat_emulation_action
LOOKUP-action_for_av = te_action_lookup te_action OUTPUT action

I believe the TA is overriding the action and missing the 'allowed. You can comment out FIELDALIAS-opsec_action = te_action AS action vendor_action AS action any any other related ones and see which one is causing the issue.