156-590 Check Point Certified Threat Prevention Specialist (CTPS) Questions and Answers

The correct answer is B. Prevent . From a performance perspective, the most resource-intensive setting is generally the one that requires the gateway not only to inspect and identify the threat, but also to enforce a blocking decision inline. Prevent mode means the protection is actively applied to traffic and the gateway must make a real-time enforcement decision. Check Point explains that Threat Prevention profiles activate protections based on factors that include the performance impact of the protection , threat severity, confidence level, and blade-specific settings. Check Point’s IPS optimization guidance also warns that some protections require more system resources to inspect traffic and recommends focusing on lower-impact protections when reducing gateway resource use is necessary.

By comparison, Inactive is the least intensive because the protection is not enforced. Detect can log or report detection without blocking, which is useful for staging and troubleshooting. Inspect still consumes inspection resources, but Prevent typically represents the highest operational burden because it performs inline analysis and enforcement, and may require buffering, stream handling, packet modification, or connection termination depending on blade and protocol. In real deployments, the exact resource cost also depends on traffic mix, protocol, file size, SSL inspection, protection complexity, and whether traffic remains accelerated. Reference topics: IPS Profile Settings, protection activation, Prevent versus Detect, Performance Impact, IPS optimization.

The correct answer is D. 2 million . In R81.20, Check Point expanded the supported scale for custom threat intelligence observables. The R81.20 Threat Prevention Administration Guide states that, starting from R81.20, the Security Gateway supports at least 2 million patterns/observables for URL, Domain, IP address, and Hash observable types. It also notes that the maximum number is limited by available memory and disk space on the Security Gateway, and that the gateway checks whether 50% of total memory is free before loading more patterns or observables.

This capability applies to Custom Intelligence Feeds, which let administrators fetch feeds from third-party servers directly to the Security Gateway for enforcement by Anti-Virus, Anti-Bot, and IPS blades. The feature reduces operational overhead by allowing external indicators to be managed and monitored through the Threat Prevention enforcement path. The incorrect options either understate or overstate the documented baseline. “Unlimited” is also incorrect because Check Point explicitly ties the upper boundary to memory and disk capacity. Reference topics: Custom Threat Indicators, External IoC Feeds, Custom Intelligence Feeds, observable scale, R81.20 Threat Prevention, URL/domain/IP/hash indicators.

The correct answer is B. Rule Header and Rule Options . Check Point supports SNORT rule import so administrators can create custom IPS protections from SNORT signatures. The official Check Point SNORT Signature Support documentation states that SNORT rules use signatures to define attacks and that a SNORT rule has a rule header and rule options . It also provides the syntax structure, where the first section contains action, protocol, source, destination, ports, and direction, while the options section contains keywords such as message and content match criteria.

The Rule Header defines the traffic selector and enforcement context: protocol, source address, source port, direction, destination address, and destination port. The Rule Options define the detection logic and metadata inside parentheses, such as msg, content, and other matching keywords. “Rule body” is not the formal Check Point/SNORT term in this context, and “rule start/rule stop” is not a recognized logical construction. This matters because imported SNORT rules become IPS protections, so syntax correctness affects whether the Management Server can parse, import, and enforce the custom signature. Reference topics: SNORT Signature Support, Custom IPS Protections, Rule Header, Rule Options, imported SNORT protections.

The correct answer is B. Exclusions . In Anti-Virus policy design, exclusions are used to remove selected traffic or file categories from Anti-Virus inspection when inspection is unnecessary, redundant, or too costly for the business flow. Check Point documentation states that Threat Prevention can be configured to exclude files from inspection , including examples such as internal emails and internal file transfers. The same section explains that these settings are based on interface type and traffic direction.

This directly aligns with the performance objective in the question: if the gateway does not inspect files that are already trusted, internal, or operationally low-risk, Anti-Virus consumes fewer CPU, memory, buffering, and content-inspection resources. Content Control is not the Anti-Virus bypass feature named in this context. Exceptions are policy-level constructs that can exclude traffic from Threat Prevention enforcement, but the question specifically asks for the feature that improves Anti-Virus performance by bypassing inspection of specific files, which is Exclusions . Bypass describes the effect, not the named feature. Reference topics: Anti-Virus Settings, Protected Scope, file inspection exclusions, interface direction, Threat Prevention performance optimization.

The correct answer is D. Optimized . In Check Point Threat Prevention, profiles define how the gateway applies protections across blades such as IPS, Anti-Bot, Anti-Virus, Threat Emulation, and Threat Extraction. The default profile is Optimized , because it balances effective security with acceptable gateway performance. Check Point documentation states that the Optimized profile is activated by default and that it gives excellent security with good gateway performance.

This design reflects the practical tradeoff in enterprise Threat Prevention: not every protection should be enabled at the most aggressive setting on every gateway, because high-impact protections can increase CPU consumption, latency, and inspection overhead. The Optimized profile uses criteria such as protection severity, confidence, and performance impact to activate protections that are broadly useful without creating unnecessary operational cost. Basic is less aggressive and is intended for lower-impact protection coverage. Strict provides wider coverage but can affect performance more significantly. Standard is not one of the default Threat Prevention profiles in this context. Reference topics: Threat Prevention Profiles, default profile behavior, Optimized Protection Profile settings, blade activation, security/performance balance.

The correct answer is C. MITRE Corporation . CVE, or Common Vulnerabilities and Exposures, is the standardized naming system used across security vendors, vulnerability databases, IPS signatures, advisories, scanners, and remediation programs. In a Check Point Threat Prevention context, CVE identifiers are important because IPS protections frequently map detections and exploit protections to known vulnerabilities. This allows administrators to correlate a Check Point IPS protection with vendor advisories, exposure management, patching, and risk prioritization. The official CVE site describes CVE as an authoritative reference method for publicly known information-security vulnerabilities and exposures. MITRE documentation states that The MITRE Corporation maintains CVE and its public website , manages compatibility, and provides technical guidance to the CVE Editorial Board.

The distractors represent related but distinct roles. DHS/CISA has historically sponsored or funded the program, but sponsorship is not ownership and maintenance of the CVE list itself. NIST maintains the National Vulnerability Database, which enriches CVE data with scoring and analysis, but NVD is downstream from CVE identifiers. Check Point consumes CVE intelligence through IPS and ThreatCloud-driven protections; it does not own the CVE program. Reference topics: IPS vulnerability mapping, CVE-based protection metadata, threat intelligence normalization, vulnerability-to-protection correlation.

The correct answer is C. This feature is to prevent IPS Enforcement to interfere with important Security Gateway operations, such as Control Connections . IPS Implied Exceptions are designed as safeguard exceptions for traffic that is necessary for the Security Gateway, management, or Check Point infrastructure to operate correctly. The purpose is not to define general unmatched-traffic behavior. Instead, they prevent IPS enforcement from disrupting essential control-plane and gateway-related communications. Check Point’s Threat Prevention exception documentation shows that IPS exceptions are a formal part of policy tuning and that exception changes are enforced through policy installation.

The operational logic is straightforward: IPS protections can be aggressive, and some protections inspect protocol behavior that may resemble attack traffic. If critical control connections, management channels, clustering traffic, or internal gateway operations were treated exactly like ordinary data-plane traffic, IPS could interfere with the stability of the platform. Implied Exceptions provide a built-in safety layer to avoid that outcome. Options A, B, and D incorrectly describe rulebase cleanup behavior or layer absence behavior. Those concerns are handled by policy structure, ordered layers, and default/cleanup behavior, not by IPS Implied Exceptions. Reference topics: IPS Exceptions, Implied IPS Exceptions, control connections, gateway operations, exception rule policy installation.

The correct answer is C. HTTP/HTTPS . The course-guide answer identifies HTTP/HTTPS as the Anti-Virus protocols enabled by default. Architecturally, this reflects the most common perimeter malware-delivery path: users downloading web content from the Internet. HTTP is naturally visible to the gateway, while HTTPS requires HTTPS Inspection to expose encrypted file transfers and web objects for Anti-Virus inspection. Check Point documentation notes that most traffic is HTTPS rather than HTTP and recommends enabling HTTPS Inspection to maximize the effectiveness of Threat Prevention Software Blades.

The broader Anti-Virus blade can support more protocols than the default enabled set. Check Point documents that HTTP, FTP, SMB, and SMTP are protocols selectable in SmartConsole, and that IMAP and POP3 can also be enabled through configuration. This distinction is the certification point: supported does not necessarily mean enabled by default . FTP, SMB, SMTP, IMAP, and POP3 can extend inspection coverage, but enabling more protocol inspection increases processing scope and must be aligned with topology, performance, and business risk. Reference topics: Anti-Virus Settings, HTTPS Inspection, protocol support, protected scope, Threat Prevention blade effectiveness.

The correct answer is D. "bypass" . A blade exception rule is used when matching traffic should be excluded from inspection by one or more Threat Prevention blades. In this context, bypass is the correct action because it tells the gateway not to apply the selected blade inspection to that traffic. Check Point’s exception documentation describes exceptions as a way to set a different action for an object in the protected scope, usually to reduce enforcement. The same guide shows that exception rules can include a Protection/Site/File/Blade cell, where administrators can select categories including Blades as exception items.

This is distinct from making a protection inactive globally. Inactive disables a protection or blade more broadly and is not the correct per-exception action for excluding selected traffic. Ignore is not the Threat Prevention exception action used in this context. Ask user is a UserCheck-style interaction and is not appropriate for bypassing Threat Prevention blade inspection. Bypass is precise: it preserves the broader policy while excluding only the matching scope from the selected blade or file-processing behavior. The guide also shows bypass behavior in file-type exception configuration, where a file type can be selected and bypassed under profile exception handling. Reference topics: Threat Prevention Exception Rules, Blade exceptions, bypass action, protected scope, file/blade exclusion.

The correct answer is B. snd . In Check Point performance architecture, SND means Secure Network Distributor . It is the CoreXL component that receives traffic from network interfaces, performs SecureXL acceleration where possible, and distributes non-accelerated traffic to CoreXL Firewall instances for deeper inspection. Check Point’s Performance Tuning documentation describes CoreXL SND as responsible for processing incoming traffic, securely accelerating authorized packets when SecureXL is enabled, and distributing non-accelerated packets between Firewall kernel instances.

This explains why SND is the correct answer for SecureXL full acceleration. The accelerated path is handled before the traffic is passed into a full firewall inspection path. IRQ is an interrupt mechanism, not the logical acceleration component. A CPU core provides processing capacity, but it is not the named SecureXL acceleration component. The dynamic dispatcher is related to distributing traffic among CoreXL Firewall instances based on load; it is not where SecureXL full acceleration is performed. This distinction matters heavily in performance troubleshooting: high SND utilization, traffic falling to F2F, or excessive PXL/FWK handling can indicate that Threat Prevention inspection is preventing full acceleration. Reference topics: SecureXL, CoreXL SND, accelerated path, dynamic dispatcher, F2F/PXL performance analysis.

The correct answer is B. QoS Policy exemptions . Threat Prevention exceptions are policy constructs used to alter how Threat Prevention blades, IPS protections, files, sites, or protected-scope objects are handled. Check Point documentation explains that an exception sets a different action for an object in the protected scope than the action specified by the Threat Prevention rule, and that exceptions are generally intended to reduce the level of enforcement rather than increase it. The guide also describes creating exceptions from IPS Protections, logs, events, and exception groups, all within the Threat Prevention policy workflow.

IPS Settings Exceptions , Core Activation Exceptions , and Implied IPS Exceptions are aligned with the IPS/Threat Prevention exception model because they affect how protections are activated, tuned, or safely excluded from enforcement. QoS Policy exemptions do not belong to Threat Prevention exception taxonomy. QoS relates to traffic prioritization, bandwidth control, and quality-of-service enforcement, not malware, IPS, Anti-Bot, Anti-Virus, or blade exception handling. In certification terms, the key separation is policy domain: Threat Prevention exceptions modify security inspection behavior, while QoS exemptions belong to traffic management. Reference topics: Threat Prevention Exceptions, IPS Exceptions, Core Activation Exceptions, Implied IPS Exceptions, exception groups.

The correct answer is A. It lets you start over by removing all administrator overrides . Profile Cleanup is a profile-maintenance function used when manual IPS protection changes have accumulated and the administrator wants to return the profile to its intended baseline logic. Check Point’s IPS Protections documentation describes the Profile Cleanup window as offering actions such as Remove all user modified and Clear all staging , followed by installing the Threat Prevention Policy.

This makes the feature a reset and hygiene mechanism, not a rulebase cleanup rule. It removes administrator-level overrides that may have been introduced during tuning, temporary mitigation, testing, exception handling, or staged rollout of protections. Option B is incorrect because Profile Cleanup does not merge settings from several profiles into the Optimized Profile. Option C is incorrect because unmatched traffic handling is controlled by policy/rule behavior, not by Profile Cleanup. Option D is incorrect because protections are not automatically removed based on usage age by this option. The administrative value of Profile Cleanup is control: it lets the security architect re-align a profile with its default or intended activation criteria. Reference topics: IPS Protections, Activation Overrides, Profile Cleanup, Staging, Threat Prevention Policy installation.

The correct answer is D. The rule is contained on a single line. There are two logical sections: Rule Header and Rule Options . SNORT signatures are supported in Check Point Threat Prevention as custom IPS-style protections, and their structure follows the standard SNORT rule model. Official Snort documentation states that the rule header includes the text before the first parenthesis, while the body contains the rule options between parentheses. It also shows a complete rule with header and option definitions. The classic Snort rule reference describes the two logical sections as the rule header and rule options .

In the exam wording, the expected construction is a single-line rule composed of these two logical sections. The header defines the coarse traffic selector and action, such as alert/drop, protocol, source, destination, ports, and direction. The options define the detailed detection logic, such as message, content match, flow, metadata, and signature identifier. “Payload” is not the correct formal name for the second logical section, which eliminates options A and C. Option B uses the correct logical sections but incorrectly states that the rule is contained on two lines. Reference topics: SNORT Signature Support, custom IPS protections, Rule Header, Rule Options, signature syntax.

The correct answer is B. Update Now, Schedule Update, Follow Protections . Check Point IPS protection maintenance includes manual updating, scheduled updating, and a follow-up workflow for newly updated protections. The official IPS Protections documentation explains that administrators can immediately update IPS from Custom Policy Tools > Updates > IPS > Update Now , and that IPS protections can also be updated by configuring a schedule for automatic downloads. It also notes that IPS updates require Threat Prevention Policy installation for enforcement.

The same IPS Protections section describes Follow Up behavior for protections: administrators can mark protections for follow-up, filter on them later, and updated protections can be automatically marked for follow-up so they can be reviewed after update. In the course-question wording, this maps to “Follow Protections.” The purpose is operational control: update now provides immediate package retrieval, scheduled update automates routine maintenance, and follow protections gives administrators a practical workflow to review newly added or changed IPS protections. The other options either use non-standard names or omit the protection-review workflow. Reference topics: IPS Protections, Update Now, Scheduling IPS Updates, Follow Up Protections, Threat Prevention Policy installation.

The correct answer is A. Automatically activates new protections based on profile . IPS protections are governed by Threat Prevention profiles, and those profiles determine which protections are activated for a rule or policy. Check Point documentation states that a Threat Prevention profile determines which protections are activated and which Software Blades are enabled for the specified rule or policy. For newly downloaded IPS protections, Check Point documents that automatic IPS update behavior can use the profile settings as the default action for those newly downloaded protections.

This is the core logic behind the answer: IPS Follow Protections aligns newly available protections with the active profile’s protection-selection logic instead of requiring the administrator to manually evaluate and activate every update. The profile already contains the criteria for activation, including threat severity, confidence, and performance considerations. Option B describes a different review-oriented workflow, commonly associated with marking protections for follow-up or staging. Option C is incorrect because reporting is a SmartEvent or logging function, not the purpose of Follow Protections. Option D is also incorrect because highlighting log entries does not activate enforcement. Reference topics: IPS profile settings, newly updated IPS protections, automatic update behavior, activation according to profile settings, IPS protection lifecycle.

The correct answer is D. Basic, Optimized, Strict . Check Point supplies out-of-the-box Threat Prevention profiles to give administrators predefined security/performance baselines. The official Threat Prevention Profiles section states that administrators can clone a selected profile but cannot change the out-of-the-box profiles: Basic, Optimized, and Strict .

These profiles represent different operating postures. Basic is designed for reliable protection with lower performance impact. Optimized is the default-style balanced approach, providing strong protection for common products and protocols while preserving gateway performance. Strict provides wider coverage and more aggressive protection selection, but can increase inspection cost and may require closer tuning. The other answer choices describe architectural traffic directions or deployment zones, not the official preconfigured profile names. “Perimeter,” “Datacenter,” and “East-West” are useful design concepts, especially in modern segmentation and Autonomous Threat Prevention discussions, but they are not the three preconfigured Custom Threat Prevention profiles in this question. From a certification perspective, the distinction matters because profiles are selected as the Action in Threat Prevention rules and determine which protections and blades are active. Reference topics: Threat Prevention Profiles, out-of-the-box profiles, Basic profile, Optimized profile, Strict profile, profile cloning.

The correct answer is D. Correlates Security Gateway logs into easily understandable events . SmartEvent is Check Point’s event-correlation and analysis system. It does not simply generate raw logs; logs are generated by Security Gateways and other Check Point components. SmartEvent consumes those logs, analyzes them against event policies, identifies patterns, and produces higher-level events suitable for investigation, dashboards, reports, and incident workflows. Check Point documentation explains that the SmartEvent Correlation Unit analyzes each log entry from a Log Server, looks for patterns according to the installed Event Policy, and forwards identified events to the SmartEvent Server.

This directly eliminates the distractors. SmartEvent does not run on the Security Gateway as the log-generating enforcement component. It does not generate logs merely so views can be customized; rather, it indexes, correlates, and presents logs and events. It is not principally a Multi-Domain syslog-forwarding tool. Its architectural value is correlation: it transforms large volumes of gateway logs into meaningful security events, reducing analyst workload and enabling threat timelines, reports, executive summaries, and incident management. Reference topics: SmartEvent Architecture, SmartEvent Correlation Unit, Event Policy, Log Server analysis, threat-event correlation.

The correct answer is D. Newly created domains . DGA means Domain Generation Algorithm , a technique used by malware to algorithmically create large numbers of domain names for command-and-control communication. Instead of hardcoding one static C2 domain, a bot can generate many possible domains over time, making takedown and static blocking much harder. Check Point’s Network Security Software Bundles datasheet states that Check Point AI Deep Learning blocks the latest DNS attacks, including Tunneling and Domain Generation Algorithm/DGA , and specifically blocks connections to the newest generation of malicious domains created via DGA.

This explains why the correct exam option is “newly created domains.” Known malicious IP blocking is a reputation and IP intelligence function, but it is not the specific purpose of DGA protection. Infected URLs and infected files are handled by URL reputation, Anti-Virus, Threat Emulation, and related Threat Prevention functions. DGA protection focuses on DNS-layer behavior and suspicious or algorithmically generated domain use, especially when malware attempts to contact rotating or recently generated domains for C2, payload retrieval, or data exfiltration. In operational terms, DGA protection is part of Anti-Bot and Advanced DNS defense, helping detect compromised hosts even when the malware infrastructure changes rapidly. Reference topics: ThreatCloud, DGA Protection, Advanced DNS, Anti-Bot, DNS C2 prevention.

The correct answer is B. You can check the percentage of F2F connections along with the reason why those connections could not be accelerated . The command fwaccel stats is part of SecureXL performance analysis. It is used to inspect how traffic is distributed across acceleration paths and firewall paths, which is essential when Threat Prevention blades or deep inspection features push traffic away from full acceleration. Check Point’s Performance Tuning documentation shows that fwaccel stats -s provides a summary including accelerated packets, F2Fed packets, F2V packets, CPASXL packets, PSLXL packets, and related totals.

The same documentation explains that F2F packets are packets SecureXL forwarded to the Firewall kernel in the slow path. This makes the command directly useful when diagnosing performance issues caused by non-accelerated inspection, SecureXL violations, or traffic that must be inspected by firewall and Threat Prevention components. Option A is wrong because fwaccel stats does not enable QoS acceleration. Option C is too generic; the command is not merely utilization monitoring. Option D better describes fwaccel stat , which reports SecureXL status, accelerated interfaces, and accelerated features. Reference topics: SecureXL, fwaccel stats, F2F packets, accelerated path, firewall path, performance troubleshooting.