Practice Free 156-590 Check Point Certified Threat Prevention Specialist (CTPS) Exam Questions Answers With Explanation

The correct answer is D. Verify Threat Prevention Blades are performing properly . Benign testing sites are controlled test resources used to validate that the Threat Prevention path is functioning without exposing the organization to real malware or live malicious infrastructure. Check Point documentation includes examples of test events generated by a Security Gateway, including a path named TestAntiBotBlade.html , which demonstrates that test-oriented resources can be used to confirm Anti-Bot/ThreatCloud detection and logging behavior without relying on an actual infection.

The key purpose is operational validation: confirm that the blade is enabled, the gateway can query or use ThreatCloud intelligence, the correct policy is installed, logs are generated, and the expected prevent/detect behavior occurs. Option A is narrower because rulebase reaction may be one part of testing, but the broader goal is to verify blade operation. Option B is also too narrow because SmartEvent visibility depends on logging and event correlation, while the test’s main purpose is not specifically SmartEvent validation. Option C is incorrect because benign testing sites are not used to decide whether real URLs are malicious; they are intentionally safe test endpoints. Reference topics: Threat Prevention blade validation, Anti-Bot test page, ThreatCloud event testing, logging verification, operational health checks.

The correct answer is D. Basic, Optimized, Strict . Check Point supplies out-of-the-box Threat Prevention profiles to give administrators predefined security/performance baselines. The official Threat Prevention Profiles section states that administrators can clone a selected profile but cannot change the out-of-the-box profiles: Basic, Optimized, and Strict .

These profiles represent different operating postures. Basic is designed for reliable protection with lower performance impact. Optimized is the default-style balanced approach, providing strong protection for common products and protocols while preserving gateway performance. Strict provides wider coverage and more aggressive protection selection, but can increase inspection cost and may require closer tuning. The other answer choices describe architectural traffic directions or deployment zones, not the official preconfigured profile names. “Perimeter,” “Datacenter,” and “East-West” are useful design concepts, especially in modern segmentation and Autonomous Threat Prevention discussions, but they are not the three preconfigured Custom Threat Prevention profiles in this question. From a certification perspective, the distinction matters because profiles are selected as the Action in Threat Prevention rules and determine which protections and blades are active. Reference topics: Threat Prevention Profiles, out-of-the-box profiles, Basic profile, Optimized profile, Strict profile, profile cloning.

The correct answer is C. Accept . Threat Prevention is applied only to traffic that has already been accepted by the Access Control policy, and then the Threat Prevention rulebase determines which protection profile, blade behavior, and tracking settings apply. When traffic does not match a Threat Prevention rule, no Threat Prevention profile is selected for that connection, so the traffic is not blocked by Threat Prevention simply because of a non-match. Check Point documentation explains that Threat Prevention policy layers calculate their actions according to rule matching, and in a single-layer policy the enforced rule is the first matched rule.

This distinction is critical for certification and real operations. Threat Prevention is not a replacement for the Access Control decision; it is a follow-up inspection layer for already accepted traffic. A non-match in Threat Prevention means the traffic is outside the configured protected scope or rule conditions, so the Threat Prevention engine does not apply a prevent/drop/reject action to it. Reject and Drop are enforcement outcomes for matched malicious or blocked traffic, not for unmatched Threat Prevention traffic. Detect is a logging/enforcement mode for matched protections, not the default result of no rule match. Reference topics: Threat Prevention Policy, ordered layer behavior, protected scope, first-match rule logic, unmatched traffic handling.

The correct answer is B. The executive reports generally contain abstract information without much technical detail. You have to use Smart Event Threat Prevention Report filtered for last week data . For executive communication, the correct SmartEvent mechanism is a report rather than a raw log export or interactive operational view. Check Point documentation explains that views and reports can be exported to PDF or CSV using defined filters and time frames, and that reports summarize network activity and Security Policy enforcement generated by Check Point products such as SmartEvent.

A CEO-level security-incident briefing should emphasize risk, timeline, impact, affected assets, attack category, prevention outcome, and recommended remediation, without requiring the recipient to interpret raw logs or technical blade details. A Threat Prevention Report filtered for last week provides the appropriate time-bounded summary. Option A is overly manual and uses a view plus CSV/PDF conversion rather than the report mechanism. Option C incorrectly shifts the workflow to SmartLog filtering and an external report generator. Option D uses a view, which is better suited for live or interactive operational analysis by administrators, not executive distribution. Reference topics: SmartEvent Reports, Threat Prevention Report, report time filters, executive reporting, exporting reports.

The correct answer is D. Individual Protections . Core Activation Exceptions are used to override activation behavior at the protection level, not at a broad ThreatCloud, inspection-engine, or protection-group abstraction. The official IPS profile settings documentation explains that the Additional Activation section gives administrators granular control to select IPS protections to activate or deactivate. It states that activated protections are enforced by gateways, while deactivated protections are not enforced, regardless of the general profile protection settings.

Check Point’s IPS Protections documentation reinforces this object-level model: each profile is a set of activated protections plus instructions for what IPS does if traffic matches an activated protection, and administrators can change the action for a specified protection. Therefore, a Core Activation Exception is not a general tuning category and does not apply to the entire ThreatCloud or to engine-wide inspection settings. It is used when a specific protection requires a different activation state than the profile would normally produce. This is common during false-positive handling, staged rollout, exception tuning, or targeted hardening for a specific vulnerability. Reference topics: IPS Protections, Additional Activation, activation overrides, individual protection enforcement, profile-based IPS tuning.

The correct answer is D. 2 million . In R81.20, Check Point expanded the supported scale for custom threat intelligence observables. The R81.20 Threat Prevention Administration Guide states that, starting from R81.20, the Security Gateway supports at least 2 million patterns/observables for URL, Domain, IP address, and Hash observable types. It also notes that the maximum number is limited by available memory and disk space on the Security Gateway, and that the gateway checks whether 50% of total memory is free before loading more patterns or observables.

This capability applies to Custom Intelligence Feeds, which let administrators fetch feeds from third-party servers directly to the Security Gateway for enforcement by Anti-Virus, Anti-Bot, and IPS blades. The feature reduces operational overhead by allowing external indicators to be managed and monitored through the Threat Prevention enforcement path. The incorrect options either understate or overstate the documented baseline. “Unlimited” is also incorrect because Check Point explicitly ties the upper boundary to memory and disk capacity. Reference topics: Custom Threat Indicators, External IoC Feeds, Custom Intelligence Feeds, observable scale, R81.20 Threat Prevention, URL/domain/IP/hash indicators.

The correct answer is B. fail-close . Fail mode defines how the Threat Prevention inspection engine behaves when it is overloaded or experiences an internal failure. Check Point’s Threat Prevention Engine Settings documentation defines two options: Allow all connections (Fail-open) and Block all connections (Fail-close) . Fail-open allows connections when the engine is overloaded or fails; Fail-close blocks connections in that condition.

Because the question specifically says Mike wants to block all files if an internal failure occurs, the secure choice is fail-close. This prioritizes protection and containment over availability. It is appropriate where allowing unscanned files would be unacceptable, such as highly regulated environments, malware-sensitive segments, or traffic paths carrying untrusted downloads. The tradeoff is operational: fail-close can interrupt business traffic if the inspection engine is unavailable, overloaded, or unable to complete the decision. Fail-open is the default availability-oriented behavior because it keeps traffic moving during failure, but it permits files or connections that may not have completed inspection. “Open system” and “closed system” are not the correct Check Point Threat Prevention fail-mode terms in this context. Reference topics: Threat Prevention Engine Settings, ThreatSpect fail mode, fail-open, fail-close, inspection failure handling.

The correct answer is B. CPU Utilization . IPS protection selection and activation are based on protection metadata and profile criteria, not a direct CPU-utilization rating. The official Threat Prevention guide states that a Threat Prevention profile activates protections according to factors including performance impact of the protection , severity of the threat , confidence that a protection can correctly identify an attack , and settings specific to the Software Blade.

The same R81.20 guide shows how the Optimized profile uses these criteria: protections are set to Prevent or Detect based on Confidence Level , Performance Impact , and Severity thresholds. CPU utilization is certainly relevant in performance troubleshooting, capacity planning, and operational monitoring, but it is not one of the IPS protection-selection ratings. In practice, CPU usage is an observed runtime metric, while Performance Impact is the predefined protection attribute used by profiles to decide whether a protection should be active, detect-only, or prevented. This distinction matters in certification: IPS tuning is driven by profile attributes, while CPU utilization is reviewed afterward through monitoring tools such as CPView, logs, and performance diagnostics. Reference topics: IPS Protection ratings, Threat Prevention Profiles, Severity, Confidence Level, Performance Impact, activation criteria.

The correct answer is C. CIFS . Check Point Anti-Virus scans file-transfer and content-bearing protocols, not arbitrary management or terminal protocols. The official Anti-Virus settings documentation lists the protocols Anti-Virus can scan as Web HTTP/HTTPS , FTP , SMB , and Mail SMTP or POP3 , with additional support for IMAP and POP3.

CIFS is closely associated with Microsoft file sharing and the SMB protocol family. In the exam context, CIFS maps to the file-sharing traffic class that Anti-Virus can inspect through SMB scanning. This is why CIFS is the correct option. Remote Desktop is an interactive remote-control protocol, not a file-inspection protocol for Anti-Virus scanning in this question. SNMP is a monitoring and management protocol and does not normally carry files for malware inspection. Telnet is an interactive terminal protocol and is not an Anti-Virus file-scanning protocol. The certification distinction is that Anti-Virus inspection focuses on files and content objects crossing supported protocols, especially web downloads, FTP transfers, SMB/CIFS file access, and mail attachments. Reference topics: Anti-Virus Settings, protocol scanning, SMB/CIFS inspection, file-transfer inspection, Threat Prevention protected scope.

The correct answer is C. Pre-infection . IPS is primarily a pre-infection protection because it is designed to stop exploitation attempts before the target host is compromised. Check Point describes its Threat Prevention solution as a multi-layered defense with both pre-infection and post-infection protections. Within that framework, IPS is the blade that delivers proactive intrusion prevention through signatures, behavioral protections, and preemptive protections, adding protection on top of Firewall enforcement.

This differs from Anti-Bot, which is classically post-infection because it detects infected hosts communicating with command-and-control infrastructure. IPS focuses earlier in the attack chain: reconnaissance, vulnerability exploitation, protocol violations, malicious payload delivery, and attempts to abuse exposed client or server software. It inspects packets and data for risks before successful exploitation results in malware installation, unauthorized access, or control of the system. “Post-inspection” and “pre-inspection” are not the correct lifecycle categories for IPS in Check Point certification terminology. “Post-infection” belongs more naturally to Anti-Bot and compromised-host detection. Reference topics: Threat Prevention Solution, IPS Software Blade, pre-infection defense, proactive intrusion prevention, exploit prevention.

The correct answer is C. Install the Threat Prevention Policy . IPS Core Protections are part of the Threat Prevention policy domain, so changing them in SmartConsole is not enough by itself. The updated configuration must be compiled and installed to the relevant Security Gateways through the Threat Prevention Policy installation process. Check Point’s IPS Protections documentation shows the workflow for editing core protections: go to Security Policies > Threat Prevention > Custom Policy Tools > IPS Protections , filter for Type Core , edit the required core protection settings, and then Install the Threat Prevention policy .

This directly eliminates the other options. The setting is not immediately active because gateways enforce installed policy, not merely edited management configuration. Install Database updates the management database but does not push enforcement logic to the Security Gateway. Install Access Control Policy applies firewall/access-layer logic, but IPS Core Protections belong to the Threat Prevention policy. In operational terms, this separation allows administrators to install Threat Prevention changes without necessarily reinstalling Access Control, reducing disruption and keeping blade changes scoped to the correct policy package. Reference topics: IPS Protections, Core IPS Protections, Custom Policy Tools, Threat Prevention Policy installation, enforcement lifecycle.

The correct answer is D. The traffic is not dropped. It is simply not inspected by the Threat Prevention Engine . Access Control and Threat Prevention are separate enforcement stages. The Access Control policy first decides whether the connection is allowed, rejected, or dropped. If Access Control accepts the connection, Threat Prevention is then applied only if the connection matches a Threat Prevention rule and therefore receives a Threat Prevention profile. Check Point documentation describes Threat Prevention policy as the mechanism used to activate only the protections needed and prevent attacks that most threaten the network. It also explains that Threat Prevention policy layers calculate their action separately and that in a single layer, the first matched rule is enforced.

Therefore, if accepted traffic does not match the Threat Prevention rulebase, no Threat Prevention profile is selected for that connection. The traffic is not blocked merely because of the non-match; it passes according to the Access Control decision, but without Threat Prevention inspection. Option A is too aggressive and incorrect. Option B incorrectly assumes logging. Option C is directionally true but incomplete because the key point is that Threat Prevention inspection is not applied. Reference topics: Access Control before Threat Prevention, Threat Prevention Rule Base, profile selection, unmatched traffic, ordered layer evaluation.

The correct answer is D. IPS, Antivirus and Antibot . Threat Prevention updates can be scheduled automatically, but administrators can also manually trigger updates for the major signature/intelligence-driven Threat Prevention blades. Check Point’s scheduled-update documentation states that automatic gateway updates can be configured for Anti-Virus , Anti-Bot , Threat Emulation , and IPS blades. It also explains that Anti-Virus, Anti-Bot, and Threat Emulation gateways download updates directly from the Check Point cloud, while IPS update behavior changed from management-based enforcement before R80.20 to gateway direct download starting in R80.20.

In the exam context, the manually triggered signature-update set is IPS, Anti-Virus, and Anti-Bot. These blades depend heavily on continuously updated threat intelligence, signatures, malicious domains, command-and-control intelligence, malware classification, and IPS protection packages. Option B is too narrow because IPS is not the only manually updateable Threat Prevention component. Option C is incomplete because it omits Anti-Bot. Option A is not a valid update-set answer. Operationally, manual updates are used when an urgent threat advisory, lab recommendation, incident response condition, or failed scheduled update requires immediate refresh of protection data. Reference topics: Threat Prevention Updates, IPS Updates, Anti-Virus Updates, Anti-Bot Updates, scheduled and manual update workflow.

The correct answer is C. Cleanup Rules are not strictly required in the Threat Prevention Policy . Threat Prevention policy behavior is governed by ordered layers and rule matching, but an administrator is not forced to create an explicit cleanup rule in every Threat Prevention rulebase. Check Point documentation explains that a Threat Prevention Rule Base can contain multiple Policy Layers and that each layer calculates its action separately. For a single layer, the enforced rule is the first rule matched; for multiple layers, the final behavior depends on the layer matches and resulting action logic.

A cleanup rule is still a strong operational best practice because it makes the terminal behavior explicit, easier to audit, and easier for operations teams to troubleshoot. Without an explicit cleanup rule, behavior depends on the layer’s implicit cleanup logic and the policy architecture. Check Point Security Management documentation shows that implicit cleanup behavior exists at the layer level and can be configured as Drop or Accept in the Layer Editor. The question asks whether cleanup rules are mandatory, not whether they are recommended. Options A and D incorrectly tie cleanup rule requirement to the Basic Profile. Option B incorrectly links Threat Prevention cleanup requirements to the Access Control cleanup rule. Reference topics: Threat Prevention Policy Layers, implicit cleanup rule, explicit cleanup best practice, Layer Editor behavior.

The correct answer is D. Only a subset of file types supported . In Check Point traffic inspection architecture, Passive Streaming and Active Streaming are stream-handling mechanisms used by content-inspection components. Passive Streaming allows inspection of traffic as a stream is observed, while Active Streaming is more intrusive because the gateway can actively participate in traffic handling, buffering, or modification. In Anti-Virus inspection, this distinction matters because file classification and supported file handling depend on the inspection mechanism and file-type processing model. Check Point’s Anti-Virus settings expose file-type controls, including processing file-type families and configuring actions per file type. Check Point’s Security Gateway documentation also identifies CPAS as Check Point Active Streaming and PSL as Passive Streaming Layer, with MUX selecting between passive and active streaming for application traffic.

The exam distinction is that Active Streaming does not provide unrestricted Anti-Virus inspection coverage across every possible file type; its limitation is that only a subset of file types is supported. Option A is wrong because Anti-Virus inspection is not limited to scheduled scans. Option B is not the distinct comparative limitation in this context. Option C is incorrect because there is a documented architectural distinction between the two streaming approaches. Reference topics: CPAS, PSL, MUX, Anti-Virus file-type processing, content inspection architecture.

The correct answer is C. user:"John Doe" AND (action:drop OR action:reject OR action:block) . Check Point log-query syntax uses field-based filters in the form field:value , Boolean operators such as AND and OR , and parentheses to group multiple criteria. The official Query Language Overview states that the basic syntax is [Field:] < Filter Criterion > , and that Boolean operators can combine multiple filters. It also shows action filtering examples such as blade:"application control" AND action:block, and explains that multiple Boolean expressions can be grouped in parentheses.

Because the user name contains a space, the value must be enclosed in double quotation marks: user:"John Doe". Without quotes, the query parser treats the words as separate criteria, which makes option B incorrect. Option A uses a hyphenated value, which changes the user name. Option D uses single quotes, while Check Point examples and expected syntax use double quotes for phrase values. The action clause is correctly grouped with OR to match logs where the IPS-related enforcement action is drop, reject, or block. Reference topics: Logs & Monitor query language, field filters, quoted strings, Boolean operators, action filtering, IPS log investigation.

The correct answer is B. Active Streaming, Passive Streaming, Deep Scanning and Archive Scanning . Anti-Virus scanning in Check Point Threat Prevention uses multiple content-inspection technologies to balance security, performance, and protocol behavior. Check Point Security Gateway documentation identifies the streaming architecture: the MUX layer chooses to work over PSL , the Passive Streaming Layer, or CPAS , Check Point Active Streaming. The Anti-Virus settings documentation also shows Deep Scanning behavior through file-type processing, including Process all file types and Enable deep inspection scanning , with an explicit performance-impact warning. It also describes Archive Scanning, where the Anti-Virus engine unpacks archives and applies proactive heuristics.

This makes option B the only complete answer. “Inspect or Bypass” describes possible handling actions, not scanning technologies. “Active and Passive Scanning” is incomplete because it omits deep inspection and archive handling. “Automatic, Manual, On-Demand, Scheduled” describes update or operational timing concepts, not Anti-Virus scanning engines. In practice, Active/Passive Streaming controls how traffic is handled in the inspection pipeline, Deep Scanning expands the set of file types inspected, and Archive Scanning opens compressed containers to detect malware hidden inside them. Reference topics: Anti-Virus Settings, CPAS, PSL, Deep Inspection Scanning, Archive Scanning.