156-590 Sample Questions Answers

The correct answer is B. Removes all Administrator overrides . Profile Cleanup is a Threat Prevention profile hygiene tool used mainly in IPS protection management. When administrators manually override protections during tuning, exception handling, false-positive analysis, emergency hardening, or staged deployment, those manual changes can accumulate and cause the profile to deviate from its intended design. Check Point’s IPS Protections documentation states that the Profile Cleanup window lets the administrator select actions such as Remove all user modified and Clear all staging , then install the Threat Prevention Policy.

This directly maps to removing administrator overrides. The option does not automatically set all protections to Detect only; Detect is an action used in specific protection or staging contexts, not the purpose of Profile Cleanup. It also does not delete exemptions, because exception rules are separate policy constructs. It does not repair or remove corrupt updates; IPS update package handling is managed through the update and revert workflow. Profile Cleanup is best understood as a reset mechanism: it clears manual activation or staging deviations so the profile can return to its baseline activation policy and blade settings. Reference topics: IPS Protections, Profile Cleanup, Remove all user modified, Clear all staging, Threat Prevention Policy installation.

The correct answer is B. Rule Header and Rule Options . Check Point supports SNORT rule import so administrators can create custom IPS protections from SNORT signatures. The official Check Point SNORT Signature Support documentation states that SNORT rules use signatures to define attacks and that a SNORT rule has a rule header and rule options . It also provides the syntax structure, where the first section contains action, protocol, source, destination, ports, and direction, while the options section contains keywords such as message and content match criteria.

The Rule Header defines the traffic selector and enforcement context: protocol, source address, source port, direction, destination address, and destination port. The Rule Options define the detection logic and metadata inside parentheses, such as msg, content, and other matching keywords. “Rule body” is not the formal Check Point/SNORT term in this context, and “rule start/rule stop” is not a recognized logical construction. This matters because imported SNORT rules become IPS protections, so syntax correctness affects whether the Management Server can parse, import, and enforce the custom signature. Reference topics: SNORT Signature Support, Custom IPS Protections, Rule Header, Rule Options, imported SNORT protections.

The correct answer is D. Optimized . In Check Point Threat Prevention, profiles define how the gateway applies protections across blades such as IPS, Anti-Bot, Anti-Virus, Threat Emulation, and Threat Extraction. The default profile is Optimized , because it balances effective security with acceptable gateway performance. Check Point documentation states that the Optimized profile is activated by default and that it gives excellent security with good gateway performance.

This design reflects the practical tradeoff in enterprise Threat Prevention: not every protection should be enabled at the most aggressive setting on every gateway, because high-impact protections can increase CPU consumption, latency, and inspection overhead. The Optimized profile uses criteria such as protection severity, confidence, and performance impact to activate protections that are broadly useful without creating unnecessary operational cost. Basic is less aggressive and is intended for lower-impact protection coverage. Strict provides wider coverage but can affect performance more significantly. Standard is not one of the default Threat Prevention profiles in this context. Reference topics: Threat Prevention Profiles, default profile behavior, Optimized Protection Profile settings, blade activation, security/performance balance.

The correct answer is D. Thorough protection . Deep Scanning is selected when the organization wants broader and more complete Anti-Virus inspection, even at the cost of additional processing. Check Point’s Anti-Virus settings documentation shows that administrators can configure file handling to process file types known to contain malware, process specific file-type families, or process all file types . It also states that enabling deep inspection scanning impacts performance.

This is the key tradeoff: Deep Scanning improves protection depth by expanding the set of files and content types subjected to inspection, but it is not the best choice for minimal latency or lowest resource consumption. Options A, B, and C are therefore incorrect because Deep Scanning is not primarily a performance optimization. It can require more CPU, memory, buffering, file classification, and scanning time, especially when paired with archive scanning, HTTPS Inspection, or large file transfers. Its benefit is security completeness: it reduces blind spots by inspecting more file content and providing stronger protection against malware hidden in less common or less obvious file types. Reference topics: Anti-Virus Settings, File Types, Deep Inspection Scanning, process all file types, performance impact, thorough malware protection.

The correct answer is D. Basic, Optimized, Strict . Check Point supplies out-of-the-box Threat Prevention profiles to give administrators predefined security/performance baselines. The official Threat Prevention Profiles section states that administrators can clone a selected profile but cannot change the out-of-the-box profiles: Basic, Optimized, and Strict .

These profiles represent different operating postures. Basic is designed for reliable protection with lower performance impact. Optimized is the default-style balanced approach, providing strong protection for common products and protocols while preserving gateway performance. Strict provides wider coverage and more aggressive protection selection, but can increase inspection cost and may require closer tuning. The other answer choices describe architectural traffic directions or deployment zones, not the official preconfigured profile names. “Perimeter,” “Datacenter,” and “East-West” are useful design concepts, especially in modern segmentation and Autonomous Threat Prevention discussions, but they are not the three preconfigured Custom Threat Prevention profiles in this question. From a certification perspective, the distinction matters because profiles are selected as the Action in Threat Prevention rules and determine which protections and blades are active. Reference topics: Threat Prevention Profiles, out-of-the-box profiles, Basic profile, Optimized profile, Strict profile, profile cloning.

The correct answer is D. The traffic is not dropped. It is simply not inspected by the Threat Prevention Engine . Access Control and Threat Prevention are separate enforcement stages. The Access Control policy first decides whether the connection is allowed, rejected, or dropped. If Access Control accepts the connection, Threat Prevention is then applied only if the connection matches a Threat Prevention rule and therefore receives a Threat Prevention profile. Check Point documentation describes Threat Prevention policy as the mechanism used to activate only the protections needed and prevent attacks that most threaten the network. It also explains that Threat Prevention policy layers calculate their action separately and that in a single layer, the first matched rule is enforced.

Therefore, if accepted traffic does not match the Threat Prevention rulebase, no Threat Prevention profile is selected for that connection. The traffic is not blocked merely because of the non-match; it passes according to the Access Control decision, but without Threat Prevention inspection. Option A is too aggressive and incorrect. Option B incorrectly assumes logging. Option C is directionally true but incomplete because the key point is that Threat Prevention inspection is not applied. Reference topics: Access Control before Threat Prevention, Threat Prevention Rule Base, profile selection, unmatched traffic, ordered layer evaluation.

The correct answer is D. 2 million . In R81.20, Check Point expanded the supported scale for custom threat intelligence observables. The R81.20 Threat Prevention Administration Guide states that, starting from R81.20, the Security Gateway supports at least 2 million patterns/observables for URL, Domain, IP address, and Hash observable types. It also notes that the maximum number is limited by available memory and disk space on the Security Gateway, and that the gateway checks whether 50% of total memory is free before loading more patterns or observables.

This capability applies to Custom Intelligence Feeds, which let administrators fetch feeds from third-party servers directly to the Security Gateway for enforcement by Anti-Virus, Anti-Bot, and IPS blades. The feature reduces operational overhead by allowing external indicators to be managed and monitored through the Threat Prevention enforcement path. The incorrect options either understate or overstate the documented baseline. “Unlimited” is also incorrect because Check Point explicitly ties the upper boundary to memory and disk capacity. Reference topics: Custom Threat Indicators, External IoC Feeds, Custom Intelligence Feeds, observable scale, R81.20 Threat Prevention, URL/domain/IP/hash indicators.

The correct answer is B. Active Streaming, Passive Streaming, Deep Scanning and Archive Scanning . Anti-Virus scanning in Check Point Threat Prevention uses multiple content-inspection technologies to balance security, performance, and protocol behavior. Check Point Security Gateway documentation identifies the streaming architecture: the MUX layer chooses to work over PSL , the Passive Streaming Layer, or CPAS , Check Point Active Streaming. The Anti-Virus settings documentation also shows Deep Scanning behavior through file-type processing, including Process all file types and Enable deep inspection scanning , with an explicit performance-impact warning. It also describes Archive Scanning, where the Anti-Virus engine unpacks archives and applies proactive heuristics.

This makes option B the only complete answer. “Inspect or Bypass” describes possible handling actions, not scanning technologies. “Active and Passive Scanning” is incomplete because it omits deep inspection and archive handling. “Automatic, Manual, On-Demand, Scheduled” describes update or operational timing concepts, not Anti-Virus scanning engines. In practice, Active/Passive Streaming controls how traffic is handled in the inspection pipeline, Deep Scanning expands the set of file types inspected, and Archive Scanning opens compressed containers to detect malware hidden inside them. Reference topics: Anti-Virus Settings, CPAS, PSL, Deep Inspection Scanning, Archive Scanning.

The correct official-guide answer is B. Install the Threat Prevention Policy . IPS protections can be updated manually or by schedule, and Check Point documentation states that IPS can be updated with real-time information on attacks and the latest protections. However, the same official section explicitly notes that to enforce the IPS updates, you must install the Threat Prevention Policy . The documented update procedure also ends with installing the Threat Prevention Policy after selecting the IPS update method.

This distinction is important: downloading or updating the IPS package makes the updated protections available to management and policy logic, but enforcement on Security Gateways depends on policy installation. “Install Database” is not the correct enforcement step for gateway inspection. Installing the Access Control Policy is also incorrect because IPS ThreatCloud protections are part of the Threat Prevention policy framework, not the Access Control rulebase. The statement that changes are immediately active is not the current official behavior for enforcing IPS updates on gateways. In production operations, scheduled IPS updates may be paired with automatic Threat Prevention policy installation, but that still confirms the requirement: the policy must be installed for enforcement. Reference topics: Updating IPS Protections, Threat Prevention Policy installation, IPS update enforcement, scheduled updates.

The correct answer is B. Detect Mode . Detect Mode is used when an administrator wants visibility into Threat Prevention behavior without immediately enforcing a blocking decision. In troubleshooting and tuning, this is essential because it allows security teams to identify which protections would have triggered, review logs, validate false positives, and adjust profiles or exceptions before moving to full prevention. Check Point’s official troubleshooting guidance for Autonomous Threat Prevention describes Detect Only mode and states that protections set to Prevent allow traffic to pass while continuing to track threats according to the Track setting.

This makes Detect Mode the correct operational mode for safe tuning. It preserves observability while reducing the risk of production disruption during policy validation, IPS profile changes, new blade rollout, or incident investigation. Observe Mode , Display Mode , and Watch Mode are not the Check Point Threat Prevention operating modes used for this purpose in the exam context. In a certification scenario, Detect Mode should be understood as a non-blocking validation state: it logs and tracks what Threat Prevention would have done, but does not stop the connection based on a Prevent action. Reference topics: Detect Only, Threat Prevention troubleshooting, profile tuning, false-positive validation, Track settings.

The correct answer is D. Correlates Security Gateway logs into easily understandable events . SmartEvent is Check Point’s event-correlation and analysis system. It does not simply generate raw logs; logs are generated by Security Gateways and other Check Point components. SmartEvent consumes those logs, analyzes them against event policies, identifies patterns, and produces higher-level events suitable for investigation, dashboards, reports, and incident workflows. Check Point documentation explains that the SmartEvent Correlation Unit analyzes each log entry from a Log Server, looks for patterns according to the installed Event Policy, and forwards identified events to the SmartEvent Server.

This directly eliminates the distractors. SmartEvent does not run on the Security Gateway as the log-generating enforcement component. It does not generate logs merely so views can be customized; rather, it indexes, correlates, and presents logs and events. It is not principally a Multi-Domain syslog-forwarding tool. Its architectural value is correlation: it transforms large volumes of gateway logs into meaningful security events, reducing analyst workload and enabling threat timelines, reports, executive summaries, and incident management. Reference topics: SmartEvent Architecture, SmartEvent Correlation Unit, Event Policy, Log Server analysis, threat-event correlation.

The correct answer is B. Post-infection . Anti-Bot is the Threat Prevention blade focused on identifying and stopping bot-infected hosts after compromise indicators appear. Check Point documentation explicitly describes Anti-Bot as performing post-infection detection of bots on hosts and preventing bot damage by blocking command-and-control communications. The broader Threat Prevention guide also lists Anti-Bot as post-infection detection and explains that it uses ThreatCloud intelligence and multiple detection methods to identify bot activity.

This differs from IPS and Anti-Virus positioning. IPS and Anti-Virus are commonly understood as pre-infection controls because they attempt to block exploit traffic or malicious files before the host is compromised. Anti-Bot, by contrast, assumes the possibility that a host may already be infected and focuses on detecting outbound C & C communication, botnet behavior, malicious destinations, and other compromise evidence. Pre-inspection and post-inspection are not valid lifecycle categories for this blade in the exam context. In real operations, Anti-Bot is especially valuable for finding infected internal machines that bypassed earlier preventive controls or became infected off-network. Reference topics: Anti-Bot Software Blade, post-infection detection, Command and Control prevention, ThreatCloud intelligence, botnet behavior detection.

The correct answer is B. CPU Utilization . IPS protection selection and activation are based on protection metadata and profile criteria, not a direct CPU-utilization rating. The official Threat Prevention guide states that a Threat Prevention profile activates protections according to factors including performance impact of the protection , severity of the threat , confidence that a protection can correctly identify an attack , and settings specific to the Software Blade.

The same R81.20 guide shows how the Optimized profile uses these criteria: protections are set to Prevent or Detect based on Confidence Level , Performance Impact , and Severity thresholds. CPU utilization is certainly relevant in performance troubleshooting, capacity planning, and operational monitoring, but it is not one of the IPS protection-selection ratings. In practice, CPU usage is an observed runtime metric, while Performance Impact is the predefined protection attribute used by profiles to decide whether a protection should be active, detect-only, or prevented. This distinction matters in certification: IPS tuning is driven by profile attributes, while CPU utilization is reviewed afterward through monitoring tools such as CPView, logs, and performance diagnostics. Reference topics: IPS Protection ratings, Threat Prevention Profiles, Severity, Confidence Level, Performance Impact, activation criteria.

The correct answer is C. ThreatCloud DNS Tunneling Protection . Check Point R81.20 introduced major Advanced Threat Prevention enhancements, including AI Deep Learning improvements for DNS attacks. The R81.20 Release Notes state that AI Deep Learning prevents more DNS attacks in real time and specifically reference ThreatCloud DNS tunneling protection as part of the DNS Security enhancements.

DNS tunneling protection is distinct from Malware DNS Trap. Malware DNS Trap returns a false or bogus IP address for known malicious hosts and domains, and it can help identify compromised clients by observing connection attempts to the false trap address. That mechanism is represented by option A/B, but it is not the R81.20-introduced DNS protection being tested here. ThreatCloud DNS Tunneling Protection targets a different technique: abuse of DNS as a covert channel for command-and-control, data exfiltration, or tunneling traffic through recursive DNS infrastructure. Option D is unrelated to Check Point DNS Threat Prevention architecture. Reference topics: R81.20 Advanced Threat Prevention, DNS Security, ThreatCloud DNS Tunneling Protection, Malware DNS Trap, Anti-Bot and Anti-Virus DNS protections.

The correct answer is D. Verify Threat Prevention Blades are performing properly . Benign testing sites are controlled test resources used to validate that the Threat Prevention path is functioning without exposing the organization to real malware or live malicious infrastructure. Check Point documentation includes examples of test events generated by a Security Gateway, including a path named TestAntiBotBlade.html , which demonstrates that test-oriented resources can be used to confirm Anti-Bot/ThreatCloud detection and logging behavior without relying on an actual infection.

The key purpose is operational validation: confirm that the blade is enabled, the gateway can query or use ThreatCloud intelligence, the correct policy is installed, logs are generated, and the expected prevent/detect behavior occurs. Option A is narrower because rulebase reaction may be one part of testing, but the broader goal is to verify blade operation. Option B is also too narrow because SmartEvent visibility depends on logging and event correlation, while the test’s main purpose is not specifically SmartEvent validation. Option C is incorrect because benign testing sites are not used to decide whether real URLs are malicious; they are intentionally safe test endpoints. Reference topics: Threat Prevention blade validation, Anti-Bot test page, ThreatCloud event testing, logging verification, operational health checks.

The correct answer is B. snd . In Check Point performance architecture, SND means Secure Network Distributor . It is the CoreXL component that receives traffic from network interfaces, performs SecureXL acceleration where possible, and distributes non-accelerated traffic to CoreXL Firewall instances for deeper inspection. Check Point’s Performance Tuning documentation describes CoreXL SND as responsible for processing incoming traffic, securely accelerating authorized packets when SecureXL is enabled, and distributing non-accelerated packets between Firewall kernel instances.

This explains why SND is the correct answer for SecureXL full acceleration. The accelerated path is handled before the traffic is passed into a full firewall inspection path. IRQ is an interrupt mechanism, not the logical acceleration component. A CPU core provides processing capacity, but it is not the named SecureXL acceleration component. The dynamic dispatcher is related to distributing traffic among CoreXL Firewall instances based on load; it is not where SecureXL full acceleration is performed. This distinction matters heavily in performance troubleshooting: high SND utilization, traffic falling to F2F, or excessive PXL/FWK handling can indicate that Threat Prevention inspection is preventing full acceleration. Reference topics: SecureXL, CoreXL SND, accelerated path, dynamic dispatcher, F2F/PXL performance analysis.

The correct answer is C. Pre-infection . IPS is primarily a pre-infection protection because it is designed to stop exploitation attempts before the target host is compromised. Check Point describes its Threat Prevention solution as a multi-layered defense with both pre-infection and post-infection protections. Within that framework, IPS is the blade that delivers proactive intrusion prevention through signatures, behavioral protections, and preemptive protections, adding protection on top of Firewall enforcement.

This differs from Anti-Bot, which is classically post-infection because it detects infected hosts communicating with command-and-control infrastructure. IPS focuses earlier in the attack chain: reconnaissance, vulnerability exploitation, protocol violations, malicious payload delivery, and attempts to abuse exposed client or server software. It inspects packets and data for risks before successful exploitation results in malware installation, unauthorized access, or control of the system. “Post-inspection” and “pre-inspection” are not the correct lifecycle categories for IPS in Check Point certification terminology. “Post-infection” belongs more naturally to Anti-Bot and compromised-host detection. Reference topics: Threat Prevention Solution, IPS Software Blade, pre-infection defense, proactive intrusion prevention, exploit prevention.

The correct answer is C. Accept . Threat Prevention is applied only to traffic that has already been accepted by the Access Control policy, and then the Threat Prevention rulebase determines which protection profile, blade behavior, and tracking settings apply. When traffic does not match a Threat Prevention rule, no Threat Prevention profile is selected for that connection, so the traffic is not blocked by Threat Prevention simply because of a non-match. Check Point documentation explains that Threat Prevention policy layers calculate their actions according to rule matching, and in a single-layer policy the enforced rule is the first matched rule.

This distinction is critical for certification and real operations. Threat Prevention is not a replacement for the Access Control decision; it is a follow-up inspection layer for already accepted traffic. A non-match in Threat Prevention means the traffic is outside the configured protected scope or rule conditions, so the Threat Prevention engine does not apply a prevent/drop/reject action to it. Reject and Drop are enforcement outcomes for matched malicious or blocked traffic, not for unmatched Threat Prevention traffic. Detect is a logging/enforcement mode for matched protections, not the default result of no rule match. Reference topics: Threat Prevention Policy, ordered layer behavior, protected scope, first-match rule logic, unmatched traffic handling.

The correct answer is D. SmartView . Threat Prevention exceptions are created and managed in SmartConsole policy and log workflows, not from SmartView as the tested location. Check Point documentation states that an exception can be added directly to a rule, and the procedure begins by selecting the rule in the Policy pane and clicking Add Exception . It also documents creating exceptions from IPS Protections and from logs or events in the Logs & Monitor view, where the administrator right-clicks a log and selects Add Exception .

This validates Policy Rule, Log Overview, and Log Details-style workflows as valid exception creation contexts. SmartView, by contrast, is primarily used for browser-based log viewing, reporting, dashboards, and event analysis. It is not the SmartConsole policy-editing context where Threat Prevention exception rules are inserted into the policy package and then installed. The operational reason is enforcement integrity: exceptions modify the compiled Threat Prevention policy, so they must be created in a policy-aware workflow where protected scope, protection/site/file/blade, action, track, install targets, and policy installation are controlled. Reference topics: Exception Rules, Adding Exception to Rule, Creating Exceptions from Logs or Events, IPS Protections exceptions, Threat Prevention Policy installation.