Checkpoint 156-590 Check Point Certified Threat Prevention Specialist (CTPS) Exam Practice Test

The correct answer is D. Inactive . A protection set to Inactive is not enforced for matching traffic, so it does not impose the same inspection and enforcement cost as active protection states. Check Point documentation explains that a Threat Prevention profile determines which protections are activated and which Software Blades are enabled for a rule or policy. The protections a profile activates depend on factors such as performance impact, threat severity, confidence level, and blade-specific settings. Check Point best-practice material also describes that administrators may tune IPS profiles and set protections to prevent , detect , or inactive .

The relative resource logic is direct: Prevent is usually the most expensive because the gateway must inspect and enforce a blocking action inline. Inspect and Detect still require traffic analysis and matching logic, even if the final result is logging rather than prevention. Inactive removes the protection from enforcement consideration, making it the lowest resource option. This does not mean administrators should disable protections indiscriminately; Inactive should be used only when justified by risk, false-positive analysis, performance tuning, or compensating controls. Reference topics: IPS profile tuning, activation settings, performance impact, Prevent/Detect/Inactive behavior, Threat Prevention optimization.

The correct answer is A. Detect . IPS Staging Mode is designed to introduce newly updated protections safely by observing their effect before enforcing active prevention. Check Point documentation states that when newly updated protections are set to Staging Mode , they remain in staging until the administrator changes their configuration. The default action for protections in staging mode is Detect , and this can be changed manually in the IPS Protections page. The R81.20 guide states the same behavior: newly updated protections in staging mode remain there until changed, and their default action is Detect.

This behavior is important during IPS lifecycle management because new signatures can introduce unexpected matches in production traffic. Detect mode allows the gateway to log and expose what the protection would have matched while avoiding immediate blocking. That gives administrators time to validate logs, tune exceptions, confirm confidence level, and assess business impact before switching to Prevent. Bypass would skip inspection and is not the staging default. None is not the default action. Prevent may be the final desired enforcement state, but staging intentionally avoids immediate prevention until analysis is complete. Reference topics: IPS Updates Policy, Staging Mode, Newly Updated Protections, Detect action, IPS protection rollout.

The correct answer is C. MITRE Corporation . CVE, or Common Vulnerabilities and Exposures, is the standardized naming system used across security vendors, vulnerability databases, IPS signatures, advisories, scanners, and remediation programs. In a Check Point Threat Prevention context, CVE identifiers are important because IPS protections frequently map detections and exploit protections to known vulnerabilities. This allows administrators to correlate a Check Point IPS protection with vendor advisories, exposure management, patching, and risk prioritization. The official CVE site describes CVE as an authoritative reference method for publicly known information-security vulnerabilities and exposures. MITRE documentation states that The MITRE Corporation maintains CVE and its public website , manages compatibility, and provides technical guidance to the CVE Editorial Board.

The distractors represent related but distinct roles. DHS/CISA has historically sponsored or funded the program, but sponsorship is not ownership and maintenance of the CVE list itself. NIST maintains the National Vulnerability Database, which enriches CVE data with scoring and analysis, but NVD is downstream from CVE identifiers. Check Point consumes CVE intelligence through IPS and ThreatCloud-driven protections; it does not own the CVE program. Reference topics: IPS vulnerability mapping, CVE-based protection metadata, threat intelligence normalization, vulnerability-to-protection correlation.

The correct answer is D. F2F . Protections with high inspection impact generally require deeper processing that cannot remain fully accelerated in SecureXL. In Check Point performance terminology, F2F means traffic is forwarded from SecureXL to the Firewall path for inspection. Performance tuning documentation describes F2F packets as packets that SecureXL forwarded to the Firewall in the slow path, while accelerated traffic remains in the fast path. Threat Prevention protections, especially high-impact IPS protections, can require deeper packet, stream, or protocol analysis and therefore increase the portion of traffic processed outside full SecureXL acceleration.

Check Point IPS documentation explains that Performance Impact is the measure of how much a protection affects gateway performance and warns that activated protections with higher performance impact can cause connectivity or performance issues. The IPS optimization guidance further explains that some protections require more system resources to inspect traffic and recommends focusing on lower-impact protections when reducing gateway resource use is necessary. SXL is the fully accelerated path, PXL is medium-path inspection with acceleration assistance, and CPASXL relates to active streaming acceleration. High Protection Impact aligns with F2F because the gateway must perform deeper inspection. Reference topics: IPS Performance Impact, SecureXL packet paths, F2F, PXL/SXL, IPS optimization.

The correct answer is C. Accept . Threat Prevention is applied only to traffic that has already been accepted by the Access Control policy, and then the Threat Prevention rulebase determines which protection profile, blade behavior, and tracking settings apply. When traffic does not match a Threat Prevention rule, no Threat Prevention profile is selected for that connection, so the traffic is not blocked by Threat Prevention simply because of a non-match. Check Point documentation explains that Threat Prevention policy layers calculate their actions according to rule matching, and in a single-layer policy the enforced rule is the first matched rule.

This distinction is critical for certification and real operations. Threat Prevention is not a replacement for the Access Control decision; it is a follow-up inspection layer for already accepted traffic. A non-match in Threat Prevention means the traffic is outside the configured protected scope or rule conditions, so the Threat Prevention engine does not apply a prevent/drop/reject action to it. Reject and Drop are enforcement outcomes for matched malicious or blocked traffic, not for unmatched Threat Prevention traffic. Detect is a logging/enforcement mode for matched protections, not the default result of no rule match. Reference topics: Threat Prevention Policy, ordered layer behavior, protected scope, first-match rule logic, unmatched traffic handling.

The correct answer is D. The Threat Prevention Policy is only applied after traffic is accepted by Access Control Policy . Threat Prevention is a follow-up inspection framework for traffic that has already passed the access decision. The Access Control policy determines whether a connection is allowed, rejected, or dropped. Only traffic that is allowed by Access Control can proceed into Threat Prevention evaluation for IPS, Anti-Bot, Anti-Virus, Threat Emulation, and related blades. Check Point’s policy workflow separates Access Control and Threat Prevention, and the Threat Prevention guide describes the Threat Prevention rulebase as the policy used to activate needed protections and prevent attacks against accepted traffic flows.

Options B and C are incorrect because Threat Prevention does not resurrect or override a connection that Access Control has already dropped or rejected. The inspection chain is sequential from an enforcement perspective: blocked traffic does not continue to malware or IPS inspection as an accepted connection. Option A is also incorrect because a gateway is assigned policy through its policy package and Threat Prevention policy structure, not by stacking multiple independent Threat Prevention policies on the same target as competing enforcement policies. Reference topics: Threat Prevention Policy workflow, Access Control then Threat Prevention sequence, policy package enforcement, accepted-traffic inspection.

The correct answer is A. The CPAS Daemon (cpasd) . In the course-guide context, cpasd is the process associated with Anti-Virus communication toward Check Point ThreatCloud for protection-update and classification purposes. The functional reason is that Anti-Virus file inspection depends on Check Point’s ThreatSpect and ThreatCloud intelligence pipeline. Check Point documentation explains that each Security Gateway has a Malware database and a local cache; when the cache has no answer, it queries the ThreatCloud repository. For Anti-Virus, the signature is sent for file classification.

The ThreatCloud network is dynamically updated and distributes attack information that can convert zero-day attack data into known signatures that Anti-Virus can block. This explains why the communication process matters: AV enforcement is not limited to a static local signature set; it relies on cloud-assisted reputation, classification, and continuously updated intelligence. The distractors do not match this function. RAD is mainly associated with resource categorization and URL/Application intelligence. pslavd is not the ThreatCloud update communication process named in this question. ted belongs to Threat Emulation, not Anti-Virus protection updates. Reference topics: Anti-Virus, CPAS/cpasd, ThreatCloud repository, Malware database, local cache, file classification.

The correct answer is B. Reports can be delivered to users who are not Check Point administrators . SmartEvent Views are primarily interactive dashboards used by administrators and analysts for live investigation, drill-down, filtering, and operational analysis. Reports are designed for packaged distribution: they summarize security activity, policy enforcement, trends, and incident data into a consumable format. Check Point documentation states that views and reports can be exported to PDF or CSV using defined filters and time frames. It also documents scheduled report delivery, including the option to send a scheduled view or report automatically by email.

This delivery model is why reports are better suited for executives, auditors, business owners, and non-administrator stakeholders. They do not need SmartConsole access or Check Point administrator privileges to consume a PDF or scheduled email report. Option A describes Views more accurately because views are live and interactive. Option C is incorrect because reports do not inherently have more raw detail than views; they present selected information in a structured format. Option D is incorrect because both views and reports can be customized. Reference topics: SmartEvent Reports, Views and Reports, report scheduling, PDF/CSV export, email delivery, non-administrator reporting.

The correct official-guide answer is B. Install the Threat Prevention Policy . IPS protections can be updated manually or by schedule, and Check Point documentation states that IPS can be updated with real-time information on attacks and the latest protections. However, the same official section explicitly notes that to enforce the IPS updates, you must install the Threat Prevention Policy . The documented update procedure also ends with installing the Threat Prevention Policy after selecting the IPS update method.

This distinction is important: downloading or updating the IPS package makes the updated protections available to management and policy logic, but enforcement on Security Gateways depends on policy installation. “Install Database” is not the correct enforcement step for gateway inspection. Installing the Access Control Policy is also incorrect because IPS ThreatCloud protections are part of the Threat Prevention policy framework, not the Access Control rulebase. The statement that changes are immediately active is not the current official behavior for enforcing IPS updates on gateways. In production operations, scheduled IPS updates may be paired with automatic Threat Prevention policy installation, but that still confirms the requirement: the policy must be installed for enforcement. Reference topics: Updating IPS Protections, Threat Prevention Policy installation, IPS update enforcement, scheduled updates.

The correct answer is D. The IPS Blade must be activated on the individual Security Gateway object . Check Point Software Blades are enabled on the enforcement point that inspects traffic, which is the Security Gateway or Cluster object, not merely on the Management Server. The official Threat Prevention guide states that to enable IPS, the administrator opens the Security Gateway / Cluster object , goes to General Properties > Network Security , selects IPS , and follows the wizard. For IPS package installation, Check Point also documents the sequence: enable IPS in the Security Gateway object, enable IPS in the corresponding Threat Prevention policy, and install the Threat Prevention Policy.

Licensing alone is therefore insufficient; a license permits use, but blade activation defines whether the gateway enforces IPS inspection. Option A is wrong because enabling the blade on the Management Server object does not activate IPS enforcement on all managed gateways. Option C is also wrong in standard ClusterXL management because blades are configured on the Cluster object, not separately and inconsistently on individual members. Operationally, enabling IPS on the correct gateway or cluster object ensures SmartConsole exposes the appropriate Threat Prevention controls and that policy installation targets the enforcement points. Reference topics: IPS Blade activation, Gateway object configuration, Threat Prevention policy installation, Cluster object management.

The correct answer is B. Exclusions . In Anti-Virus policy design, exclusions are used to remove selected traffic or file categories from Anti-Virus inspection when inspection is unnecessary, redundant, or too costly for the business flow. Check Point documentation states that Threat Prevention can be configured to exclude files from inspection , including examples such as internal emails and internal file transfers. The same section explains that these settings are based on interface type and traffic direction.

This directly aligns with the performance objective in the question: if the gateway does not inspect files that are already trusted, internal, or operationally low-risk, Anti-Virus consumes fewer CPU, memory, buffering, and content-inspection resources. Content Control is not the Anti-Virus bypass feature named in this context. Exceptions are policy-level constructs that can exclude traffic from Threat Prevention enforcement, but the question specifically asks for the feature that improves Anti-Virus performance by bypassing inspection of specific files, which is Exclusions . Bypass describes the effect, not the named feature. Reference topics: Anti-Virus Settings, Protected Scope, file inspection exclusions, interface direction, Threat Prevention performance optimization.

The correct answer is B. Pre-infection . IPS is categorized as a pre-infection Threat Prevention blade because its primary role is to stop exploitation attempts before the protected host becomes compromised. Check Point’s Threat Prevention guide describes IPS as protection against malicious and unwanted network traffic, focusing on application and server vulnerabilities, in-the-wild attacks, exploit kits, and malicious attackers. The same guide distinguishes Anti-Bot & Advanced DNS as post-infection detection of bots on hosts, while Anti-Virus is described as pre-infection detection and blocking of malware at the gateway.

IPS belongs in the pre-infection stage because it prevents the exploit chain from succeeding. It inspects network traffic for vulnerability exploitation, protocol abuse, malformed payloads, known CVE exploitation attempts, server attacks, client attacks, and suspicious patterns that could lead to compromise. “Preventative” is broadly true as an English description, but it is not the specific Check Point lifecycle classification tested here. “Inline” describes where a security function may sit in traffic flow, not the infection-stage category. “Post-infection” is associated with Anti-Bot, which detects and blocks command-and-control communications after a host shows signs of compromise. Reference topics: IPS Software Blade, pre-infection prevention, exploit protection, Threat Prevention architecture, Anti-Bot post-infection contrast.

The correct answer is D. SmartView . Threat Prevention exceptions are created and managed in SmartConsole policy and log workflows, not from SmartView as the tested location. Check Point documentation states that an exception can be added directly to a rule, and the procedure begins by selecting the rule in the Policy pane and clicking Add Exception . It also documents creating exceptions from IPS Protections and from logs or events in the Logs & Monitor view, where the administrator right-clicks a log and selects Add Exception .

This validates Policy Rule, Log Overview, and Log Details-style workflows as valid exception creation contexts. SmartView, by contrast, is primarily used for browser-based log viewing, reporting, dashboards, and event analysis. It is not the SmartConsole policy-editing context where Threat Prevention exception rules are inserted into the policy package and then installed. The operational reason is enforcement integrity: exceptions modify the compiled Threat Prevention policy, so they must be created in a policy-aware workflow where protected scope, protection/site/file/blade, action, track, install targets, and policy installation are controlled. Reference topics: Exception Rules, Adding Exception to Rule, Creating Exceptions from Logs or Events, IPS Protections exceptions, Threat Prevention Policy installation.

The correct answer is D. Optimized . In Check Point Threat Prevention, profiles define how the gateway applies protections across blades such as IPS, Anti-Bot, Anti-Virus, Threat Emulation, and Threat Extraction. The default profile is Optimized , because it balances effective security with acceptable gateway performance. Check Point documentation states that the Optimized profile is activated by default and that it gives excellent security with good gateway performance.

This design reflects the practical tradeoff in enterprise Threat Prevention: not every protection should be enabled at the most aggressive setting on every gateway, because high-impact protections can increase CPU consumption, latency, and inspection overhead. The Optimized profile uses criteria such as protection severity, confidence, and performance impact to activate protections that are broadly useful without creating unnecessary operational cost. Basic is less aggressive and is intended for lower-impact protection coverage. Strict provides wider coverage but can affect performance more significantly. Standard is not one of the default Threat Prevention profiles in this context. Reference topics: Threat Prevention Profiles, default profile behavior, Optimized Protection Profile settings, blade activation, security/performance balance.

The correct answer is C. HTTP/HTTPS . The course-guide answer identifies HTTP/HTTPS as the Anti-Virus protocols enabled by default. Architecturally, this reflects the most common perimeter malware-delivery path: users downloading web content from the Internet. HTTP is naturally visible to the gateway, while HTTPS requires HTTPS Inspection to expose encrypted file transfers and web objects for Anti-Virus inspection. Check Point documentation notes that most traffic is HTTPS rather than HTTP and recommends enabling HTTPS Inspection to maximize the effectiveness of Threat Prevention Software Blades.

The broader Anti-Virus blade can support more protocols than the default enabled set. Check Point documents that HTTP, FTP, SMB, and SMTP are protocols selectable in SmartConsole, and that IMAP and POP3 can also be enabled through configuration. This distinction is the certification point: supported does not necessarily mean enabled by default . FTP, SMB, SMTP, IMAP, and POP3 can extend inspection coverage, but enabling more protocol inspection increases processing scope and must be aligned with topology, performance, and business risk. Reference topics: Anti-Virus Settings, HTTPS Inspection, protocol support, protected scope, Threat Prevention blade effectiveness.

The correct answer is D. IPS, Antivirus and Antibot . Threat Prevention updates can be scheduled automatically, but administrators can also manually trigger updates for the major signature/intelligence-driven Threat Prevention blades. Check Point’s scheduled-update documentation states that automatic gateway updates can be configured for Anti-Virus , Anti-Bot , Threat Emulation , and IPS blades. It also explains that Anti-Virus, Anti-Bot, and Threat Emulation gateways download updates directly from the Check Point cloud, while IPS update behavior changed from management-based enforcement before R80.20 to gateway direct download starting in R80.20.

In the exam context, the manually triggered signature-update set is IPS, Anti-Virus, and Anti-Bot. These blades depend heavily on continuously updated threat intelligence, signatures, malicious domains, command-and-control intelligence, malware classification, and IPS protection packages. Option B is too narrow because IPS is not the only manually updateable Threat Prevention component. Option C is incomplete because it omits Anti-Bot. Option A is not a valid update-set answer. Operationally, manual updates are used when an urgent threat advisory, lab recommendation, incident response condition, or failed scheduled update requires immediate refresh of protection data. Reference topics: Threat Prevention Updates, IPS Updates, Anti-Virus Updates, Anti-Bot Updates, scheduled and manual update workflow.

The correct answer is A. Automatically activates new protections based on profile . IPS protections are governed by Threat Prevention profiles, and those profiles determine which protections are activated for a rule or policy. Check Point documentation states that a Threat Prevention profile determines which protections are activated and which Software Blades are enabled for the specified rule or policy. For newly downloaded IPS protections, Check Point documents that automatic IPS update behavior can use the profile settings as the default action for those newly downloaded protections.

This is the core logic behind the answer: IPS Follow Protections aligns newly available protections with the active profile’s protection-selection logic instead of requiring the administrator to manually evaluate and activate every update. The profile already contains the criteria for activation, including threat severity, confidence, and performance considerations. Option B describes a different review-oriented workflow, commonly associated with marking protections for follow-up or staging. Option C is incorrect because reporting is a SmartEvent or logging function, not the purpose of Follow Protections. Option D is also incorrect because highlighting log entries does not activate enforcement. Reference topics: IPS profile settings, newly updated IPS protections, automatic update behavior, activation according to profile settings, IPS protection lifecycle.

The correct answer is C. External . Anti-Virus protected scope settings define which traffic direction and interface types are sent for file inspection. Check Point explains that these settings are based on interface type, such as internal or external, and traffic direction, such as incoming or outgoing. In the Anti-Virus Protected Scope section, Check Point defines the option Inspect incoming files from and lists interface choices including External , External and DMZ , and All . The External choice means the gateway inspects incoming files from external interfaces, while files from DMZ and internal interfaces are not inspected.

The default exam answer is therefore External: the baseline Anti-Virus behavior focuses on inbound files arriving from untrusted external interfaces, which is the most common malware-introduction path for perimeter deployments. Option A is too narrow because DMZ alone would ignore Internet-to-user inbound exposure. Option B expands inspection to DMZ traffic, which is valid as a configuration choice but not the default answer. Option D is broader still and increases inspection coverage and resource use, but it is not the default protected-scope setting in this question. Reference topics: Anti-Virus Settings, Protected Scope, interface topology, incoming file inspection, External interface classification.

The correct answer is B. Traffic is matched against all applicable layers at the same time . Threat Prevention policy evaluation is not best described as a flat simultaneous match against all applicable layers. Check Point documentation explains that Threat Prevention Policy Layers are Ordered Layers , and that each ordered layer calculates its action separately from the other layers. In a single-layer policy package, the enforced rule is the first matched rule. In multiple-layer policy behavior, matching and enforcement are determined by the layer calculations and the applicable action logic, rather than by one undifferentiated simultaneous match model.

Option A is true because Threat Prevention inspection is applied after the Access Control policy allows the connection; traffic dropped or rejected by Access Control does not proceed to Threat Prevention enforcement. Option C is true for a single Threat Prevention layer because the first matching rule is enforced. Option D is also true because Threat Prevention uses ordered policy-layer behavior. The false statement is therefore option B. Reference topics: Threat Prevention Policy, Ordered Layers, first-match rule behavior, Access Control before Threat Prevention, multi-layer enforcement logic.

The correct answer is A. Block List files - Configure disallowed files . Custom Policy Tools are used to manage Threat Prevention objects and enforcement helpers under the Threat Prevention policy view. A Block List file is used to define files that should be treated as disallowed, blocked, or explicitly malicious/undesired according to the policy objective. This is the opposite of the Allow List, which Check Point documents as a list of trusted files that the Threat Prevention engine does not inspect for malware, viruses, and bots, helping reduce gateway resource utilization. The official guide shows Allow List Files under Threat Prevention > Custom Policy Tools > Allow List Files .

Option A is therefore the correct true statement because it accurately describes the role of block-list file handling. Option B sounds plausible but is not the tested correct statement in this question’s answer key; the course item is specifically validating the Block List definition. Option C is incorrect because indicators are not “benign activity”; indicators usually represent observables such as IPs, domains, URLs, or hashes used for threat intelligence or enforcement. Option D is incorrect because profiles are not only available for Autonomous Threat Prevention; Custom Threat Prevention also uses profiles such as Basic, Optimized, and Strict. Reference topics: Custom Policy Tools, Block List Files, Allow List Files, Indicators, Threat Prevention Profiles.

The correct answer is B. Forensics . In Threat Prevention policy tracking, Forensics is the tracking option intended to enrich Threat Prevention logs with additional investigation data. Check Point documentation states that the Forensics option adds fields to the Threat Prevention logs , and that this extra information provides a deeper understanding of an attack. The Monitoring Threat Prevention section further explains that Advanced Forensics Details can appear in logs for supported protocols such as DNS, FTP, SMTP, HTTP, and HTTPS, and that this additional information is used by Check Point researchers to analyze attacks.

This is why Forensics is the correct TAC-oriented tracking choice. Alert is a notification-style tracking action, not a deep forensic enrichment mechanism. SNMP sends a management notification, and User Defined invokes administrator-defined alert handling rather than supplying advanced attack-analysis fields. In operational troubleshooting, Forensics is valuable because it preserves richer evidence around the inspected connection, affected blade, protocol behavior, and detection context. Reference topics: Threat Prevention Policy Track Options, Advanced Forensics Details, Logs & Monitor, TAC escalation analysis.

The correct answer is B. Next Generation Full Protection . Check Point’s documented security subscription package families include NGFW , NGTP , and SNBT/SandBlast . Check Point’s 3600 Security Gateway datasheet explicitly lists NGFW , NGTP , and SNBT (SandBlast) as all-inclusive security package columns. The Network Security Software Bundles datasheet also presents the same package structure: NGFW as the base Next Generation Firewall bundle, NGTP as the Next-Gen Threat Prevention package, and SNBT as the SandBlast package that includes NGTP and adds zero-day protection capabilities.

Therefore, Next Generation Firewall , Next Generation Threat Prevention , and SandBlast are valid Check Point blade bundle names in this context. Next Generation Full Protection is not the documented bundle name. It may sound plausible because it describes a comprehensive security posture, but certification questions require exact product and package terminology. In Check Point licensing and subscription design, using the correct bundle name matters because each package maps to a defined set of Software Blades and subscription entitlements. NGFW provides the base firewall/IPS access-control package, NGTP adds known-threat prevention, and SNBT adds advanced SandBlast zero-day protections such as Threat Emulation, Threat Extraction, and Zero Phishing. Reference topics: Check Point Software Blade bundles, NGFW, NGTP, SNBT/SandBlast, package entitlement mapping.