Pass the Checkpoint CTPS 156-590 Questions and answers with ExamsMirror

The correct answer is D. Inactive . A protection set to Inactive is not enforced for matching traffic, so it does not impose the same inspection and enforcement cost as active protection states. Check Point documentation explains that a Threat Prevention profile determines which protections are activated and which Software Blades are enabled for a rule or policy. The protections a profile activates depend on factors such as performance impact, threat severity, confidence level, and blade-specific settings. Check Point best-practice material also describes that administrators may tune IPS profiles and set protections to prevent , detect , or inactive .

The relative resource logic is direct: Prevent is usually the most expensive because the gateway must inspect and enforce a blocking action inline. Inspect and Detect still require traffic analysis and matching logic, even if the final result is logging rather than prevention. Inactive removes the protection from enforcement consideration, making it the lowest resource option. This does not mean administrators should disable protections indiscriminately; Inactive should be used only when justified by risk, false-positive analysis, performance tuning, or compensating controls. Reference topics: IPS profile tuning, activation settings, performance impact, Prevent/Detect/Inactive behavior, Threat Prevention optimization.

The correct answer is B. Forensics . In Threat Prevention policy tracking, Forensics is the tracking option intended to enrich Threat Prevention logs with additional investigation data. Check Point documentation states that the Forensics option adds fields to the Threat Prevention logs , and that this extra information provides a deeper understanding of an attack. The Monitoring Threat Prevention section further explains that Advanced Forensics Details can appear in logs for supported protocols such as DNS, FTP, SMTP, HTTP, and HTTPS, and that this additional information is used by Check Point researchers to analyze attacks.

This is why Forensics is the correct TAC-oriented tracking choice. Alert is a notification-style tracking action, not a deep forensic enrichment mechanism. SNMP sends a management notification, and User Defined invokes administrator-defined alert handling rather than supplying advanced attack-analysis fields. In operational troubleshooting, Forensics is valuable because it preserves richer evidence around the inspected connection, affected blade, protocol behavior, and detection context. Reference topics: Threat Prevention Policy Track Options, Advanced Forensics Details, Logs & Monitor, TAC escalation analysis.

The correct answer is A. An audit log is a record of actions taken by administrators . In Check Point management architecture, audit logs are different from traffic logs, threat logs, or operating-system event logs. A traffic log records inspected network connections and blade decisions. A threat log records Threat Prevention detections, preventions, packet captures, forensic details, and blade-specific events. An audit log records administrative activity performed in the management environment. The uploaded Check Point glossary material defines an Audit Log as a log that contains administrator actions on a Management Server, including login and logout, creation or modification of an object, and installation of a policy.

This is operationally important because audit logs support accountability and change control. When investigating a policy change, exception addition, blade enablement, profile modification, or installation event, the audit trail shows which administrator performed the action and when it occurred. Option B is incorrect because system event logs are not the same as audit logs. Option C describes a filtered view of logs, not an audit record. Option D is incorrect because gateway system logs are operational logs from enforcement points, while audit logs are management-plane administrative records. Reference topics: Audit Logs, administrator actions, Management Server accountability, policy installation auditing, change tracking.

The correct answer is A. Infected host identification . Malware DNS Trap is designed to help identify compromised clients by redirecting malicious DNS resolution to a controlled false IP address and then observing which internal hosts attempt to connect to that trap address. Check Point’s R81.20 Threat Prevention guide states that Malware DNS Trap can be used to detect compromised clients by checking logs with connection attempts to the false IP address. It also notes that internal DNS servers can be added to better identify the origin of malicious DNS requests.

This makes the primary operational benefit host attribution. While DNS security can block or prevent malicious DNS-related activity, DNS Trap’s distinctive value is showing which internal endpoint is likely infected or attempting malicious communication. Option B is more aligned with URL Filtering or URL reputation, not DNS Trap. Option C describes a blocking outcome, but it misses the key trap mechanism and attribution purpose. Option D is incorrect because the usual DNS Trap use case concerns internal clients generating suspicious outbound DNS or follow-up connections, not inbound malicious DNS queries. Reference topics: Malware DNS Trap, Anti-Bot & Advanced DNS, false IP address, compromised-client detection, infected-host investigation.

The correct answer is B. Traffic is matched against all applicable layers at the same time . Threat Prevention policy evaluation is not best described as a flat simultaneous match against all applicable layers. Check Point documentation explains that Threat Prevention Policy Layers are Ordered Layers , and that each ordered layer calculates its action separately from the other layers. In a single-layer policy package, the enforced rule is the first matched rule. In multiple-layer policy behavior, matching and enforcement are determined by the layer calculations and the applicable action logic, rather than by one undifferentiated simultaneous match model.

Option A is true because Threat Prevention inspection is applied after the Access Control policy allows the connection; traffic dropped or rejected by Access Control does not proceed to Threat Prevention enforcement. Option C is true for a single Threat Prevention layer because the first matching rule is enforced. Option D is also true because Threat Prevention uses ordered policy-layer behavior. The false statement is therefore option B. Reference topics: Threat Prevention Policy, Ordered Layers, first-match rule behavior, Access Control before Threat Prevention, multi-layer enforcement logic.

The correct answer is D. 2 million . In R81.20, Check Point expanded the supported scale for custom threat intelligence observables. The R81.20 Threat Prevention Administration Guide states that, starting from R81.20, the Security Gateway supports at least 2 million patterns/observables for URL, Domain, IP address, and Hash observable types. It also notes that the maximum number is limited by available memory and disk space on the Security Gateway, and that the gateway checks whether 50% of total memory is free before loading more patterns or observables.

This capability applies to Custom Intelligence Feeds, which let administrators fetch feeds from third-party servers directly to the Security Gateway for enforcement by Anti-Virus, Anti-Bot, and IPS blades. The feature reduces operational overhead by allowing external indicators to be managed and monitored through the Threat Prevention enforcement path. The incorrect options either understate or overstate the documented baseline. “Unlimited” is also incorrect because Check Point explicitly ties the upper boundary to memory and disk capacity. Reference topics: Custom Threat Indicators, External IoC Feeds, Custom Intelligence Feeds, observable scale, R81.20 Threat Prevention, URL/domain/IP/hash indicators.

The correct answer is D. SmartView . Threat Prevention exceptions are created and managed in SmartConsole policy and log workflows, not from SmartView as the tested location. Check Point documentation states that an exception can be added directly to a rule, and the procedure begins by selecting the rule in the Policy pane and clicking Add Exception . It also documents creating exceptions from IPS Protections and from logs or events in the Logs & Monitor view, where the administrator right-clicks a log and selects Add Exception .

This validates Policy Rule, Log Overview, and Log Details-style workflows as valid exception creation contexts. SmartView, by contrast, is primarily used for browser-based log viewing, reporting, dashboards, and event analysis. It is not the SmartConsole policy-editing context where Threat Prevention exception rules are inserted into the policy package and then installed. The operational reason is enforcement integrity: exceptions modify the compiled Threat Prevention policy, so they must be created in a policy-aware workflow where protected scope, protection/site/file/blade, action, track, install targets, and policy installation are controlled. Reference topics: Exception Rules, Adding Exception to Rule, Creating Exceptions from Logs or Events, IPS Protections exceptions, Threat Prevention Policy installation.

The correct answer is B. You can check the percentage of F2F connections along with the reason why those connections could not be accelerated . The command fwaccel stats is part of SecureXL performance analysis. It is used to inspect how traffic is distributed across acceleration paths and firewall paths, which is essential when Threat Prevention blades or deep inspection features push traffic away from full acceleration. Check Point’s Performance Tuning documentation shows that fwaccel stats -s provides a summary including accelerated packets, F2Fed packets, F2V packets, CPASXL packets, PSLXL packets, and related totals.

The same documentation explains that F2F packets are packets SecureXL forwarded to the Firewall kernel in the slow path. This makes the command directly useful when diagnosing performance issues caused by non-accelerated inspection, SecureXL violations, or traffic that must be inspected by firewall and Threat Prevention components. Option A is wrong because fwaccel stats does not enable QoS acceleration. Option C is too generic; the command is not merely utilization monitoring. Option D better describes fwaccel stat , which reports SecureXL status, accelerated interfaces, and accelerated features. Reference topics: SecureXL, fwaccel stats, F2F packets, accelerated path, firewall path, performance troubleshooting.

The correct official-guide answer is B. Install the Threat Prevention Policy . IPS protections can be updated manually or by schedule, and Check Point documentation states that IPS can be updated with real-time information on attacks and the latest protections. However, the same official section explicitly notes that to enforce the IPS updates, you must install the Threat Prevention Policy . The documented update procedure also ends with installing the Threat Prevention Policy after selecting the IPS update method.

This distinction is important: downloading or updating the IPS package makes the updated protections available to management and policy logic, but enforcement on Security Gateways depends on policy installation. “Install Database” is not the correct enforcement step for gateway inspection. Installing the Access Control Policy is also incorrect because IPS ThreatCloud protections are part of the Threat Prevention policy framework, not the Access Control rulebase. The statement that changes are immediately active is not the current official behavior for enforcing IPS updates on gateways. In production operations, scheduled IPS updates may be paired with automatic Threat Prevention policy installation, but that still confirms the requirement: the policy must be installed for enforcement. Reference topics: Updating IPS Protections, Threat Prevention Policy installation, IPS update enforcement, scheduled updates.

The correct answer is B. CPU Utilization . IPS protection selection and activation are based on protection metadata and profile criteria, not a direct CPU-utilization rating. The official Threat Prevention guide states that a Threat Prevention profile activates protections according to factors including performance impact of the protection , severity of the threat , confidence that a protection can correctly identify an attack , and settings specific to the Software Blade.

The same R81.20 guide shows how the Optimized profile uses these criteria: protections are set to Prevent or Detect based on Confidence Level , Performance Impact , and Severity thresholds. CPU utilization is certainly relevant in performance troubleshooting, capacity planning, and operational monitoring, but it is not one of the IPS protection-selection ratings. In practice, CPU usage is an observed runtime metric, while Performance Impact is the predefined protection attribute used by profiles to decide whether a protection should be active, detect-only, or prevented. This distinction matters in certification: IPS tuning is driven by profile attributes, while CPU utilization is reviewed afterward through monitoring tools such as CPView, logs, and performance diagnostics. Reference topics: IPS Protection ratings, Threat Prevention Profiles, Severity, Confidence Level, Performance Impact, activation criteria.