156-590 Check Point Certified Threat Prevention Specialist (CTPS) Questions and Answers

The correct answer is D. Optimized . In Check Point Threat Prevention, profiles define how the gateway applies protections across blades such as IPS, Anti-Bot, Anti-Virus, Threat Emulation, and Threat Extraction. The default profile is Optimized , because it balances effective security with acceptable gateway performance. Check Point documentation states that the Optimized profile is activated by default and that it gives excellent security with good gateway performance.

This design reflects the practical tradeoff in enterprise Threat Prevention: not every protection should be enabled at the most aggressive setting on every gateway, because high-impact protections can increase CPU consumption, latency, and inspection overhead. The Optimized profile uses criteria such as protection severity, confidence, and performance impact to activate protections that are broadly useful without creating unnecessary operational cost. Basic is less aggressive and is intended for lower-impact protection coverage. Strict provides wider coverage but can affect performance more significantly. Standard is not one of the default Threat Prevention profiles in this context. Reference topics: Threat Prevention Profiles, default profile behavior, Optimized Protection Profile settings, blade activation, security/performance balance.

The correct answer is D. Thorough protection . Deep Scanning is selected when the organization wants broader and more complete Anti-Virus inspection, even at the cost of additional processing. Check Point’s Anti-Virus settings documentation shows that administrators can configure file handling to process file types known to contain malware, process specific file-type families, or process all file types . It also states that enabling deep inspection scanning impacts performance.

This is the key tradeoff: Deep Scanning improves protection depth by expanding the set of files and content types subjected to inspection, but it is not the best choice for minimal latency or lowest resource consumption. Options A, B, and C are therefore incorrect because Deep Scanning is not primarily a performance optimization. It can require more CPU, memory, buffering, file classification, and scanning time, especially when paired with archive scanning, HTTPS Inspection, or large file transfers. Its benefit is security completeness: it reduces blind spots by inspecting more file content and providing stronger protection against malware hidden in less common or less obvious file types. Reference topics: Anti-Virus Settings, File Types, Deep Inspection Scanning, process all file types, performance impact, thorough malware protection.

The correct answer is B. Next Generation Full Protection . Check Point’s documented security subscription package families include NGFW , NGTP , and SNBT/SandBlast . Check Point’s 3600 Security Gateway datasheet explicitly lists NGFW , NGTP , and SNBT (SandBlast) as all-inclusive security package columns. The Network Security Software Bundles datasheet also presents the same package structure: NGFW as the base Next Generation Firewall bundle, NGTP as the Next-Gen Threat Prevention package, and SNBT as the SandBlast package that includes NGTP and adds zero-day protection capabilities.

Therefore, Next Generation Firewall , Next Generation Threat Prevention , and SandBlast are valid Check Point blade bundle names in this context. Next Generation Full Protection is not the documented bundle name. It may sound plausible because it describes a comprehensive security posture, but certification questions require exact product and package terminology. In Check Point licensing and subscription design, using the correct bundle name matters because each package maps to a defined set of Software Blades and subscription entitlements. NGFW provides the base firewall/IPS access-control package, NGTP adds known-threat prevention, and SNBT adds advanced SandBlast zero-day protections such as Threat Emulation, Threat Extraction, and Zero Phishing. Reference topics: Check Point Software Blade bundles, NGFW, NGTP, SNBT/SandBlast, package entitlement mapping.

The correct answer is B. Forensics . In Threat Prevention policy tracking, Forensics is the tracking option intended to enrich Threat Prevention logs with additional investigation data. Check Point documentation states that the Forensics option adds fields to the Threat Prevention logs , and that this extra information provides a deeper understanding of an attack. The Monitoring Threat Prevention section further explains that Advanced Forensics Details can appear in logs for supported protocols such as DNS, FTP, SMTP, HTTP, and HTTPS, and that this additional information is used by Check Point researchers to analyze attacks.

This is why Forensics is the correct TAC-oriented tracking choice. Alert is a notification-style tracking action, not a deep forensic enrichment mechanism. SNMP sends a management notification, and User Defined invokes administrator-defined alert handling rather than supplying advanced attack-analysis fields. In operational troubleshooting, Forensics is valuable because it preserves richer evidence around the inspected connection, affected blade, protocol behavior, and detection context. Reference topics: Threat Prevention Policy Track Options, Advanced Forensics Details, Logs & Monitor, TAC escalation analysis.

The correct answer is D. The IPS Blade must be activated on the individual Security Gateway object . Check Point Software Blades are enabled on the enforcement point that inspects traffic, which is the Security Gateway or Cluster object, not merely on the Management Server. The official Threat Prevention guide states that to enable IPS, the administrator opens the Security Gateway / Cluster object , goes to General Properties > Network Security , selects IPS , and follows the wizard. For IPS package installation, Check Point also documents the sequence: enable IPS in the Security Gateway object, enable IPS in the corresponding Threat Prevention policy, and install the Threat Prevention Policy.

Licensing alone is therefore insufficient; a license permits use, but blade activation defines whether the gateway enforces IPS inspection. Option A is wrong because enabling the blade on the Management Server object does not activate IPS enforcement on all managed gateways. Option C is also wrong in standard ClusterXL management because blades are configured on the Cluster object, not separately and inconsistently on individual members. Operationally, enabling IPS on the correct gateway or cluster object ensures SmartConsole exposes the appropriate Threat Prevention controls and that policy installation targets the enforcement points. Reference topics: IPS Blade activation, Gateway object configuration, Threat Prevention policy installation, Cluster object management.

The correct answer is B. Removes all Administrator overrides . Profile Cleanup is a Threat Prevention profile hygiene tool used mainly in IPS protection management. When administrators manually override protections during tuning, exception handling, false-positive analysis, emergency hardening, or staged deployment, those manual changes can accumulate and cause the profile to deviate from its intended design. Check Point’s IPS Protections documentation states that the Profile Cleanup window lets the administrator select actions such as Remove all user modified and Clear all staging , then install the Threat Prevention Policy.

This directly maps to removing administrator overrides. The option does not automatically set all protections to Detect only; Detect is an action used in specific protection or staging contexts, not the purpose of Profile Cleanup. It also does not delete exemptions, because exception rules are separate policy constructs. It does not repair or remove corrupt updates; IPS update package handling is managed through the update and revert workflow. Profile Cleanup is best understood as a reset mechanism: it clears manual activation or staging deviations so the profile can return to its baseline activation policy and blade settings. Reference topics: IPS Protections, Profile Cleanup, Remove all user modified, Clear all staging, Threat Prevention Policy installation.

The correct answer is C. Cleanup Rules are not strictly required in the Threat Prevention Policy . Threat Prevention policy behavior is governed by ordered layers and rule matching, but an administrator is not forced to create an explicit cleanup rule in every Threat Prevention rulebase. Check Point documentation explains that a Threat Prevention Rule Base can contain multiple Policy Layers and that each layer calculates its action separately. For a single layer, the enforced rule is the first rule matched; for multiple layers, the final behavior depends on the layer matches and resulting action logic.

A cleanup rule is still a strong operational best practice because it makes the terminal behavior explicit, easier to audit, and easier for operations teams to troubleshoot. Without an explicit cleanup rule, behavior depends on the layer’s implicit cleanup logic and the policy architecture. Check Point Security Management documentation shows that implicit cleanup behavior exists at the layer level and can be configured as Drop or Accept in the Layer Editor. The question asks whether cleanup rules are mandatory, not whether they are recommended. Options A and D incorrectly tie cleanup rule requirement to the Basic Profile. Option B incorrectly links Threat Prevention cleanup requirements to the Access Control cleanup rule. Reference topics: Threat Prevention Policy Layers, implicit cleanup rule, explicit cleanup best practice, Layer Editor behavior.

The correct answer is A. Detect . IPS Staging Mode is designed to introduce newly updated protections safely by observing their effect before enforcing active prevention. Check Point documentation states that when newly updated protections are set to Staging Mode , they remain in staging until the administrator changes their configuration. The default action for protections in staging mode is Detect , and this can be changed manually in the IPS Protections page. The R81.20 guide states the same behavior: newly updated protections in staging mode remain there until changed, and their default action is Detect.

This behavior is important during IPS lifecycle management because new signatures can introduce unexpected matches in production traffic. Detect mode allows the gateway to log and expose what the protection would have matched while avoiding immediate blocking. That gives administrators time to validate logs, tune exceptions, confirm confidence level, and assess business impact before switching to Prevent. Bypass would skip inspection and is not the staging default. None is not the default action. Prevent may be the final desired enforcement state, but staging intentionally avoids immediate prevention until analysis is complete. Reference topics: IPS Updates Policy, Staging Mode, Newly Updated Protections, Detect action, IPS protection rollout.

The correct answer is B. UserCheck . In SmartConsole, Custom Policy Tools are used to manage Threat Prevention policy objects and tuning components such as profiles, IPS protections, indicators, and protection categories. The official R81.20 guide shows Custom Policy Tools > Profiles for profile creation, editing, and cloning, and Custom Policy Tools > IPS Protections for managing IPS protection behavior. The same guide also shows Custom Policy Tools > Indicators as the location used to configure external IoC feeds.

Malicious Activity Detection is represented through Threat Prevention protection types: the Protections Browser displays protection types, and the guide states that Malicious Activity and Unusual Activity protection types contain lists of protections. UserCheck, however, is not itself a Custom Policy Tools setting. It is a user interaction and notification mechanism configured inside relevant blade/profile settings, such as Anti-Bot or Zero Phishing UserCheck messages. Therefore, among the choices, UserCheck is the item that does not belong as an available Custom Policy Tools setting. Reference topics: Custom Policy Tools, IPS Protections, Indicators, Threat Prevention Profiles, Protections Browser, UserCheck settings.

The correct answer is D. Individual Protections . Core Activation Exceptions are used to override activation behavior at the protection level, not at a broad ThreatCloud, inspection-engine, or protection-group abstraction. The official IPS profile settings documentation explains that the Additional Activation section gives administrators granular control to select IPS protections to activate or deactivate. It states that activated protections are enforced by gateways, while deactivated protections are not enforced, regardless of the general profile protection settings.

Check Point’s IPS Protections documentation reinforces this object-level model: each profile is a set of activated protections plus instructions for what IPS does if traffic matches an activated protection, and administrators can change the action for a specified protection. Therefore, a Core Activation Exception is not a general tuning category and does not apply to the entire ThreatCloud or to engine-wide inspection settings. It is used when a specific protection requires a different activation state than the profile would normally produce. This is common during false-positive handling, staged rollout, exception tuning, or targeted hardening for a specific vulnerability. Reference topics: IPS Protections, Additional Activation, activation overrides, individual protection enforcement, profile-based IPS tuning.

The correct answer is B. snd . In Check Point performance architecture, SND means Secure Network Distributor . It is the CoreXL component that receives traffic from network interfaces, performs SecureXL acceleration where possible, and distributes non-accelerated traffic to CoreXL Firewall instances for deeper inspection. Check Point’s Performance Tuning documentation describes CoreXL SND as responsible for processing incoming traffic, securely accelerating authorized packets when SecureXL is enabled, and distributing non-accelerated packets between Firewall kernel instances.

This explains why SND is the correct answer for SecureXL full acceleration. The accelerated path is handled before the traffic is passed into a full firewall inspection path. IRQ is an interrupt mechanism, not the logical acceleration component. A CPU core provides processing capacity, but it is not the named SecureXL acceleration component. The dynamic dispatcher is related to distributing traffic among CoreXL Firewall instances based on load; it is not where SecureXL full acceleration is performed. This distinction matters heavily in performance troubleshooting: high SND utilization, traffic falling to F2F, or excessive PXL/FWK handling can indicate that Threat Prevention inspection is preventing full acceleration. Reference topics: SecureXL, CoreXL SND, accelerated path, dynamic dispatcher, F2F/PXL performance analysis.

The correct answer is D. fwaccel dos rate . When IPS or other Threat Prevention inspection causes significant traffic to leave the fully accelerated SecureXL path and move to F2F, the gateway can experience higher CPU utilization because more packets require Firewall kernel processing. The fwaccel dos rate command belongs to SecureXL DoS and rate-limiting controls. Check Point’s Performance Tuning guide defines fwaccel dos rate and fwaccel6 dos rate as commands that show and install the Rate Limiting policy in SecureXL. It also notes that the feature is enabled by default without rules.

This makes it the correct command for enforcing traffic quotas or rate-limiting policy in the accelerated path. fw dos rate is not the correct Check Point syntax. fwaccel rate omits the DoS rate-limiting command hierarchy. fw ctl dos is also not the documented command for SecureXL rate policy installation. In operational performance tuning, fwaccel DoS rate controls are useful when the gateway must protect CPU resources from excessive connection rates, volumetric pressure, or inspection-heavy flows that can amplify the impact of Threat Prevention processing. Reference topics: SecureXL DoS Mitigation, Rate Limiting Policy, fwaccel dos rate, F2F path, IPS performance impact.

The correct answer is A. Automatically activates new protections based on profile . IPS protections are governed by Threat Prevention profiles, and those profiles determine which protections are activated for a rule or policy. Check Point documentation states that a Threat Prevention profile determines which protections are activated and which Software Blades are enabled for the specified rule or policy. For newly downloaded IPS protections, Check Point documents that automatic IPS update behavior can use the profile settings as the default action for those newly downloaded protections.

This is the core logic behind the answer: IPS Follow Protections aligns newly available protections with the active profile’s protection-selection logic instead of requiring the administrator to manually evaluate and activate every update. The profile already contains the criteria for activation, including threat severity, confidence, and performance considerations. Option B describes a different review-oriented workflow, commonly associated with marking protections for follow-up or staging. Option C is incorrect because reporting is a SmartEvent or logging function, not the purpose of Follow Protections. Option D is also incorrect because highlighting log entries does not activate enforcement. Reference topics: IPS profile settings, newly updated IPS protections, automatic update behavior, activation according to profile settings, IPS protection lifecycle.

The correct answer is A. zipscn . Archive Scanning is part of the Anti-Virus file-inspection workflow, where compressed archives must be unpacked and inspected before the gateway can make a final malware-prevention decision. Check Point documentation describes Archive Scanning as the configuration area used to define how the ThreatSpect engine unpacks and scans file archives . It also defines controls such as how long archive processing may continue and what action is taken if the maximum scan time is exceeded. In the Threat Prevention Administration Guide, enabling archive scanning is described as an Anti-Virus setting in which the Anti-Virus engine unpacks archives and applies proactive heuristics, with an explicit note that this feature can impact network performance.

The process name associated with this archive-processing function is zipscn . The distractors do not fit the archive-scanning function: psl_dlp and dlpu are associated with DLP/user-space processing contexts, while gzscn_proc is not the named Archive Scanning process for this blade function. Reference topics: Anti-Virus Settings, Archive Scanning, ThreatSpect engine, archive unpacking, proactive heuristics.

The correct answer is C. Pre-infection . IPS is primarily a pre-infection protection because it is designed to stop exploitation attempts before the target host is compromised. Check Point describes its Threat Prevention solution as a multi-layered defense with both pre-infection and post-infection protections. Within that framework, IPS is the blade that delivers proactive intrusion prevention through signatures, behavioral protections, and preemptive protections, adding protection on top of Firewall enforcement.

This differs from Anti-Bot, which is classically post-infection because it detects infected hosts communicating with command-and-control infrastructure. IPS focuses earlier in the attack chain: reconnaissance, vulnerability exploitation, protocol violations, malicious payload delivery, and attempts to abuse exposed client or server software. It inspects packets and data for risks before successful exploitation results in malware installation, unauthorized access, or control of the system. “Post-inspection” and “pre-inspection” are not the correct lifecycle categories for IPS in Check Point certification terminology. “Post-infection” belongs more naturally to Anti-Bot and compromised-host detection. Reference topics: Threat Prevention Solution, IPS Software Blade, pre-infection defense, proactive intrusion prevention, exploit prevention.

The correct answer is B. Rule Header and Rule Options . Check Point supports SNORT rule import so administrators can create custom IPS protections from SNORT signatures. The official Check Point SNORT Signature Support documentation states that SNORT rules use signatures to define attacks and that a SNORT rule has a rule header and rule options . It also provides the syntax structure, where the first section contains action, protocol, source, destination, ports, and direction, while the options section contains keywords such as message and content match criteria.

The Rule Header defines the traffic selector and enforcement context: protocol, source address, source port, direction, destination address, and destination port. The Rule Options define the detection logic and metadata inside parentheses, such as msg, content, and other matching keywords. “Rule body” is not the formal Check Point/SNORT term in this context, and “rule start/rule stop” is not a recognized logical construction. This matters because imported SNORT rules become IPS protections, so syntax correctness affects whether the Management Server can parse, import, and enforce the custom signature. Reference topics: SNORT Signature Support, Custom IPS Protections, Rule Header, Rule Options, imported SNORT protections.

The correct answer is B. Traffic is matched against all applicable layers at the same time . Threat Prevention policy evaluation is not best described as a flat simultaneous match against all applicable layers. Check Point documentation explains that Threat Prevention Policy Layers are Ordered Layers , and that each ordered layer calculates its action separately from the other layers. In a single-layer policy package, the enforced rule is the first matched rule. In multiple-layer policy behavior, matching and enforcement are determined by the layer calculations and the applicable action logic, rather than by one undifferentiated simultaneous match model.

Option A is true because Threat Prevention inspection is applied after the Access Control policy allows the connection; traffic dropped or rejected by Access Control does not proceed to Threat Prevention enforcement. Option C is true for a single Threat Prevention layer because the first matching rule is enforced. Option D is also true because Threat Prevention uses ordered policy-layer behavior. The false statement is therefore option B. Reference topics: Threat Prevention Policy, Ordered Layers, first-match rule behavior, Access Control before Threat Prevention, multi-layer enforcement logic.

The correct answer is D. Basic, Optimized, Strict . Check Point supplies out-of-the-box Threat Prevention profiles to give administrators predefined security/performance baselines. The official Threat Prevention Profiles section states that administrators can clone a selected profile but cannot change the out-of-the-box profiles: Basic, Optimized, and Strict .

These profiles represent different operating postures. Basic is designed for reliable protection with lower performance impact. Optimized is the default-style balanced approach, providing strong protection for common products and protocols while preserving gateway performance. Strict provides wider coverage and more aggressive protection selection, but can increase inspection cost and may require closer tuning. The other answer choices describe architectural traffic directions or deployment zones, not the official preconfigured profile names. “Perimeter,” “Datacenter,” and “East-West” are useful design concepts, especially in modern segmentation and Autonomous Threat Prevention discussions, but they are not the three preconfigured Custom Threat Prevention profiles in this question. From a certification perspective, the distinction matters because profiles are selected as the Action in Threat Prevention rules and determine which protections and blades are active. Reference topics: Threat Prevention Profiles, out-of-the-box profiles, Basic profile, Optimized profile, Strict profile, profile cloning.

The correct answer is B. Exclusions . In Anti-Virus policy design, exclusions are used to remove selected traffic or file categories from Anti-Virus inspection when inspection is unnecessary, redundant, or too costly for the business flow. Check Point documentation states that Threat Prevention can be configured to exclude files from inspection , including examples such as internal emails and internal file transfers. The same section explains that these settings are based on interface type and traffic direction.

This directly aligns with the performance objective in the question: if the gateway does not inspect files that are already trusted, internal, or operationally low-risk, Anti-Virus consumes fewer CPU, memory, buffering, and content-inspection resources. Content Control is not the Anti-Virus bypass feature named in this context. Exceptions are policy-level constructs that can exclude traffic from Threat Prevention enforcement, but the question specifically asks for the feature that improves Anti-Virus performance by bypassing inspection of specific files, which is Exclusions . Bypass describes the effect, not the named feature. Reference topics: Anti-Virus Settings, Protected Scope, file inspection exclusions, interface direction, Threat Prevention performance optimization.