Checkpoint 156-590 Dumps

The correct answer is A. The best practice for all Check Point delivered profiles and object is to first clone them and work on the clones . Check Point’s out-of-the-box Threat Prevention profiles are predefined baselines intended to provide known security and performance behavior. The official Threat Prevention Profiles documentation states that administrators can create a clone of a selected profile and then make changes, but they cannot change the out-of-the-box profiles: Basic, Optimized, and Strict . The documented workflow is to right-click the profile, select Clone , rename the copied profile, configure settings, and then install policy.

This is the correct operational model because vendor-delivered profiles are reference baselines. Modifying production enforcement should be done in a cloned profile so that the original baseline remains available for comparison, rollback, and troubleshooting. Option B is incorrect because deleting predefined profiles and rebuilding from scratch is unsafe and unnecessary. Option C is not the standard best-practice answer; performance impact should be managed by profile criteria and IPS tuning, not by a separate “performance check tool” workflow in this question. Option D is incorrect because profile changes can materially affect both security posture and gateway performance. Reference topics: Threat Prevention Profiles, Basic/Optimized/Strict profiles, profile cloning, policy installation, IPS tuning baseline.

The correct answer is A. Block List files - Configure disallowed files . Custom Policy Tools are used to manage Threat Prevention objects and enforcement helpers under the Threat Prevention policy view. A Block List file is used to define files that should be treated as disallowed, blocked, or explicitly malicious/undesired according to the policy objective. This is the opposite of the Allow List, which Check Point documents as a list of trusted files that the Threat Prevention engine does not inspect for malware, viruses, and bots, helping reduce gateway resource utilization. The official guide shows Allow List Files under Threat Prevention > Custom Policy Tools > Allow List Files .

Option A is therefore the correct true statement because it accurately describes the role of block-list file handling. Option B sounds plausible but is not the tested correct statement in this question’s answer key; the course item is specifically validating the Block List definition. Option C is incorrect because indicators are not “benign activity”; indicators usually represent observables such as IPs, domains, URLs, or hashes used for threat intelligence or enforcement. Option D is incorrect because profiles are not only available for Autonomous Threat Prevention; Custom Threat Prevention also uses profiles such as Basic, Optimized, and Strict. Reference topics: Custom Policy Tools, Block List Files, Allow List Files, Indicators, Threat Prevention Profiles.

The correct answer is B. fail-close . Fail mode defines how the Threat Prevention inspection engine behaves when it is overloaded or experiences an internal failure. Check Point’s Threat Prevention Engine Settings documentation defines two options: Allow all connections (Fail-open) and Block all connections (Fail-close) . Fail-open allows connections when the engine is overloaded or fails; Fail-close blocks connections in that condition.

Because the question specifically says Mike wants to block all files if an internal failure occurs, the secure choice is fail-close. This prioritizes protection and containment over availability. It is appropriate where allowing unscanned files would be unacceptable, such as highly regulated environments, malware-sensitive segments, or traffic paths carrying untrusted downloads. The tradeoff is operational: fail-close can interrupt business traffic if the inspection engine is unavailable, overloaded, or unable to complete the decision. Fail-open is the default availability-oriented behavior because it keeps traffic moving during failure, but it permits files or connections that may not have completed inspection. “Open system” and “closed system” are not the correct Check Point Threat Prevention fail-mode terms in this context. Reference topics: Threat Prevention Engine Settings, ThreatSpect fail mode, fail-open, fail-close, inspection failure handling.

The correct answer is B. The Security Gateway sends a packet capture file along with the log file. The former can be analyzed with an external tool, such as Wireshark . Packet Capture is a tracking enhancement used when logs alone are not enough to understand the traffic that triggered a security event. Check Point documentation explains that Packet Capture lets administrators capture network traffic and that the packet-capture content provides greater insight into the traffic that generated the log. When this feature is activated, the Security Gateway sends a packet-capture file with the log to the Log Server.

This is especially useful for IPS and Threat Prevention troubleshooting because analysts can inspect payload structure, headers, protocol behavior, retransmissions, and exact traffic context behind a prevention or detection event. Packet captures can then be opened in external protocol-analysis tools such as Wireshark for deeper investigation. Option A is incorrect because Packet Capture is not specifically an XDR visualization feature. Option C is unrelated to tracking and describes a timeout-style behavior. Option D describes threshold/reset logic, not packet evidence collection. Reference topics: Packet Capture Track option, Logs & Monitor, Threat Prevention event analysis, IPS troubleshooting, packet-level evidence.

The correct answer is B. Pre-infection . IPS is categorized as a pre-infection Threat Prevention blade because its primary role is to stop exploitation attempts before the protected host becomes compromised. Check Point’s Threat Prevention guide describes IPS as protection against malicious and unwanted network traffic, focusing on application and server vulnerabilities, in-the-wild attacks, exploit kits, and malicious attackers. The same guide distinguishes Anti-Bot & Advanced DNS as post-infection detection of bots on hosts, while Anti-Virus is described as pre-infection detection and blocking of malware at the gateway.

IPS belongs in the pre-infection stage because it prevents the exploit chain from succeeding. It inspects network traffic for vulnerability exploitation, protocol abuse, malformed payloads, known CVE exploitation attempts, server attacks, client attacks, and suspicious patterns that could lead to compromise. “Preventative” is broadly true as an English description, but it is not the specific Check Point lifecycle classification tested here. “Inline” describes where a security function may sit in traffic flow, not the infection-stage category. “Post-infection” is associated with Anti-Bot, which detects and blocks command-and-control communications after a host shows signs of compromise. Reference topics: IPS Software Blade, pre-infection prevention, exploit protection, Threat Prevention architecture, Anti-Bot post-infection contrast.

The correct answer is A. Users surfing the website directly by IP address or using domains registered within the last 30 days . Anti-Bot is focused on post-infection compromise evidence: it identifies hosts that may already be infected and attempts to prevent command-and-control communication or other botnet behavior. Check Point documentation describes Anti-Bot as a Threat Prevention component that blocks botnet behavior and communication to Command and Control centers, while the broader Threat Prevention solution provides multi-layered pre- and post-infection defense.

Direct IP browsing and use of newly registered domains are suspicious because malware frequently avoids mature domain reputation controls, rotates infrastructure quickly, or contacts IP-based C2 endpoints directly to bypass domain-based filtering. Domains registered within a recent window are a common risk indicator because malicious campaigns often use disposable infrastructure with short operational lifetimes. Option B is not inherently evidence of bot infection; explicit proxy use may be a network design choice. Option C describes normal intranet access patterns. Option D may indicate weak encryption hygiene but is not specific evidence of compromise. In Anti-Bot analysis, indicators such as suspicious destinations, direct IP access, newly observed domains, and C2-like behavior help identify infected internal hosts. Reference topics: Anti-Bot, post-infection detection, Command and Control communication, suspicious domains, infected-host analysis.

The correct answer is B. Intrusion Prevention System . In Check Point terminology, IPS is the Software Blade responsible for inspecting and analyzing packets and data for numerous risk types. The official Check Point Threat Prevention documentation identifies IPS as Intrusion Prevention System and describes IPS protections as part of the Threat Prevention Software Blade framework.

IPS is more than a simple signature engine. It provides vulnerability-oriented and exploit-oriented protections, including protections mapped to CVEs, protocol anomalies, command injection patterns, server-side attacks, client-side attacks, and other known or unknown exploitation behaviors. Check Point also describes IPS as delivering proactive intrusion prevention with thousands of signatures, behavioral protections, and preemptive protections, adding another layer of security above firewall enforcement.

The incorrect options misuse the term “Invasion” or replace “System” with “Software.” Although IPS is implemented as a Check Point Software Blade, the acronym itself expands to Intrusion Prevention System . In policy design, IPS is treated as a pre-infection prevention capability that stops exploitation before compromise, rather than as a post-infection malware-detection control. Reference topics: IPS Software Blade, Intrusion Prevention System definition, IPS protections, CVE-based protections, proactive intrusion prevention.

The correct answer is B. Forensics . In Threat Prevention policy tracking, Forensics is the tracking option intended to enrich Threat Prevention logs with additional investigation data. Check Point documentation states that the Forensics option adds fields to the Threat Prevention logs , and that this extra information provides a deeper understanding of an attack. The Monitoring Threat Prevention section further explains that Advanced Forensics Details can appear in logs for supported protocols such as DNS, FTP, SMTP, HTTP, and HTTPS, and that this additional information is used by Check Point researchers to analyze attacks.

This is why Forensics is the correct TAC-oriented tracking choice. Alert is a notification-style tracking action, not a deep forensic enrichment mechanism. SNMP sends a management notification, and User Defined invokes administrator-defined alert handling rather than supplying advanced attack-analysis fields. In operational troubleshooting, Forensics is valuable because it preserves richer evidence around the inspected connection, affected blade, protocol behavior, and detection context. Reference topics: Threat Prevention Policy Track Options, Advanced Forensics Details, Logs & Monitor, TAC escalation analysis.

The correct answer is D. Background because it inspects a large subset of traffic . Anti-Virus is a pre-infection Threat Prevention blade that can inspect broad user traffic categories, including web and file-transfer flows. Because the inspection scope can be large, the selected enforcement behavior directly affects latency, user experience, and gateway resource consumption. Check Point documentation identifies Anti-Virus as a blade that scans protocols such as HTTP/HTTPS, FTP, SMB, and mail-related traffic depending on configuration, with additional protocol support documented for IMAP and POP3.

The Background setting is recommended in this context because it avoids unnecessarily holding a large volume of traffic while inspection continues. Hold mode is stricter because it delays delivery until inspection completes or a timeout condition is reached, but that strictness can introduce user-facing delay when applied broadly. Option A is incorrect because Anti-Virus is not post-infection; it prevents malware before user impact. Options B and C are incorrect because they associate Hold mode with a limited inspection scope, while Anti-Virus commonly applies to a large and performance-sensitive traffic set. Reference topics: Anti-Virus Settings, protocol inspection scope, Background versus Hold behavior, performance impact, pre-infection prevention.

The correct answer is B. The executive reports generally contain abstract information without much technical detail. You have to use Smart Event Threat Prevention Report filtered for last week data . For executive communication, the correct SmartEvent mechanism is a report rather than a raw log export or interactive operational view. Check Point documentation explains that views and reports can be exported to PDF or CSV using defined filters and time frames, and that reports summarize network activity and Security Policy enforcement generated by Check Point products such as SmartEvent.

A CEO-level security-incident briefing should emphasize risk, timeline, impact, affected assets, attack category, prevention outcome, and recommended remediation, without requiring the recipient to interpret raw logs or technical blade details. A Threat Prevention Report filtered for last week provides the appropriate time-bounded summary. Option A is overly manual and uses a view plus CSV/PDF conversion rather than the report mechanism. Option C incorrectly shifts the workflow to SmartLog filtering and an external report generator. Option D uses a view, which is better suited for live or interactive operational analysis by administrators, not executive distribution. Reference topics: SmartEvent Reports, Threat Prevention Report, report time filters, executive reporting, exporting reports.

The correct answer is C. Install the Threat Prevention Policy . IPS Core Protections are part of the Threat Prevention policy domain, so changing them in SmartConsole is not enough by itself. The updated configuration must be compiled and installed to the relevant Security Gateways through the Threat Prevention Policy installation process. Check Point’s IPS Protections documentation shows the workflow for editing core protections: go to Security Policies > Threat Prevention > Custom Policy Tools > IPS Protections , filter for Type Core , edit the required core protection settings, and then Install the Threat Prevention policy .

This directly eliminates the other options. The setting is not immediately active because gateways enforce installed policy, not merely edited management configuration. Install Database updates the management database but does not push enforcement logic to the Security Gateway. Install Access Control Policy applies firewall/access-layer logic, but IPS Core Protections belong to the Threat Prevention policy. In operational terms, this separation allows administrators to install Threat Prevention changes without necessarily reinstalling Access Control, reducing disruption and keeping blade changes scoped to the correct policy package. Reference topics: IPS Protections, Core IPS Protections, Custom Policy Tools, Threat Prevention Policy installation, enforcement lifecycle.

The correct answer is B. QoS Policy exemptions . Threat Prevention exceptions are policy constructs used to alter how Threat Prevention blades, IPS protections, files, sites, or protected-scope objects are handled. Check Point documentation explains that an exception sets a different action for an object in the protected scope than the action specified by the Threat Prevention rule, and that exceptions are generally intended to reduce the level of enforcement rather than increase it. The guide also describes creating exceptions from IPS Protections, logs, events, and exception groups, all within the Threat Prevention policy workflow.

IPS Settings Exceptions , Core Activation Exceptions , and Implied IPS Exceptions are aligned with the IPS/Threat Prevention exception model because they affect how protections are activated, tuned, or safely excluded from enforcement. QoS Policy exemptions do not belong to Threat Prevention exception taxonomy. QoS relates to traffic prioritization, bandwidth control, and quality-of-service enforcement, not malware, IPS, Anti-Bot, Anti-Virus, or blade exception handling. In certification terms, the key separation is policy domain: Threat Prevention exceptions modify security inspection behavior, while QoS exemptions belong to traffic management. Reference topics: Threat Prevention Exceptions, IPS Exceptions, Core Activation Exceptions, Implied IPS Exceptions, exception groups.

The correct answer is B. You can check the percentage of F2F connections along with the reason why those connections could not be accelerated . The command fwaccel stats is part of SecureXL performance analysis. It is used to inspect how traffic is distributed across acceleration paths and firewall paths, which is essential when Threat Prevention blades or deep inspection features push traffic away from full acceleration. Check Point’s Performance Tuning documentation shows that fwaccel stats -s provides a summary including accelerated packets, F2Fed packets, F2V packets, CPASXL packets, PSLXL packets, and related totals.

The same documentation explains that F2F packets are packets SecureXL forwarded to the Firewall kernel in the slow path. This makes the command directly useful when diagnosing performance issues caused by non-accelerated inspection, SecureXL violations, or traffic that must be inspected by firewall and Threat Prevention components. Option A is wrong because fwaccel stats does not enable QoS acceleration. Option C is too generic; the command is not merely utilization monitoring. Option D better describes fwaccel stat , which reports SecureXL status, accelerated interfaces, and accelerated features. Reference topics: SecureXL, fwaccel stats, F2F packets, accelerated path, firewall path, performance troubleshooting.

The correct answer is D. Only a subset of file types supported . In Check Point traffic inspection architecture, Passive Streaming and Active Streaming are stream-handling mechanisms used by content-inspection components. Passive Streaming allows inspection of traffic as a stream is observed, while Active Streaming is more intrusive because the gateway can actively participate in traffic handling, buffering, or modification. In Anti-Virus inspection, this distinction matters because file classification and supported file handling depend on the inspection mechanism and file-type processing model. Check Point’s Anti-Virus settings expose file-type controls, including processing file-type families and configuring actions per file type. Check Point’s Security Gateway documentation also identifies CPAS as Check Point Active Streaming and PSL as Passive Streaming Layer, with MUX selecting between passive and active streaming for application traffic.

The exam distinction is that Active Streaming does not provide unrestricted Anti-Virus inspection coverage across every possible file type; its limitation is that only a subset of file types is supported. Option A is wrong because Anti-Virus inspection is not limited to scheduled scans. Option B is not the distinct comparative limitation in this context. Option C is incorrect because there is a documented architectural distinction between the two streaming approaches. Reference topics: CPAS, PSL, MUX, Anti-Virus file-type processing, content inspection architecture.

The correct answer is D. F2F . Protections with high inspection impact generally require deeper processing that cannot remain fully accelerated in SecureXL. In Check Point performance terminology, F2F means traffic is forwarded from SecureXL to the Firewall path for inspection. Performance tuning documentation describes F2F packets as packets that SecureXL forwarded to the Firewall in the slow path, while accelerated traffic remains in the fast path. Threat Prevention protections, especially high-impact IPS protections, can require deeper packet, stream, or protocol analysis and therefore increase the portion of traffic processed outside full SecureXL acceleration.

Check Point IPS documentation explains that Performance Impact is the measure of how much a protection affects gateway performance and warns that activated protections with higher performance impact can cause connectivity or performance issues. The IPS optimization guidance further explains that some protections require more system resources to inspect traffic and recommends focusing on lower-impact protections when reducing gateway resource use is necessary. SXL is the fully accelerated path, PXL is medium-path inspection with acceleration assistance, and CPASXL relates to active streaming acceleration. High Protection Impact aligns with F2F because the gateway must perform deeper inspection. Reference topics: IPS Performance Impact, SecureXL packet paths, F2F, PXL/SXL, IPS optimization.

The correct answer is D. Ordered . Threat Prevention policy uses ordered policy layers. Check Point documentation states that you can create a Threat Prevention Rule Base with multiple Ordered Layers , and that Ordered Layers help organize the Rule Base according to organizational needs, such as services or networks. Each Policy Layer calculates its action separately from other layers, and when there is one layer in the policy package, the first matched rule is enforced.

This is a core certification distinction. Access Control can use ordered and inline layers, but Threat Prevention is treated as an ordered layer policy model. The policy evaluates rules in order and applies the appropriate Threat Prevention profile, blades, protection behavior, and tracking according to rule matching. Option C describes when Threat Prevention is applied in the traffic flow—after Access Control accepts the connection—but it does not answer the question about the layer type. Option A is incorrect because Threat Prevention is not both ordered and inline in this context. Option B is incorrect because inline layers are not the Threat Prevention layer type being tested here. Reference topics: Threat Prevention Policy Layers, Ordered Layers, first-match behavior, policy-layer calculation, Threat Prevention Rule Base.

The correct answer is D. Inactive . A protection set to Inactive is not enforced for matching traffic, so it does not impose the same inspection and enforcement cost as active protection states. Check Point documentation explains that a Threat Prevention profile determines which protections are activated and which Software Blades are enabled for a rule or policy. The protections a profile activates depend on factors such as performance impact, threat severity, confidence level, and blade-specific settings. Check Point best-practice material also describes that administrators may tune IPS profiles and set protections to prevent , detect , or inactive .

The relative resource logic is direct: Prevent is usually the most expensive because the gateway must inspect and enforce a blocking action inline. Inspect and Detect still require traffic analysis and matching logic, even if the final result is logging rather than prevention. Inactive removes the protection from enforcement consideration, making it the lowest resource option. This does not mean administrators should disable protections indiscriminately; Inactive should be used only when justified by risk, false-positive analysis, performance tuning, or compensating controls. Reference topics: IPS profile tuning, activation settings, performance impact, Prevent/Detect/Inactive behavior, Threat Prevention optimization.

The correct answer is D. The IPS Blade must be activated on the individual Security Gateway object . Check Point Software Blades are enabled on the enforcement point that inspects traffic, which is the Security Gateway or Cluster object, not merely on the Management Server. The official Threat Prevention guide states that to enable IPS, the administrator opens the Security Gateway / Cluster object , goes to General Properties > Network Security , selects IPS , and follows the wizard. For IPS package installation, Check Point also documents the sequence: enable IPS in the Security Gateway object, enable IPS in the corresponding Threat Prevention policy, and install the Threat Prevention Policy.

Licensing alone is therefore insufficient; a license permits use, but blade activation defines whether the gateway enforces IPS inspection. Option A is wrong because enabling the blade on the Management Server object does not activate IPS enforcement on all managed gateways. Option C is also wrong in standard ClusterXL management because blades are configured on the Cluster object, not separately and inconsistently on individual members. Operationally, enabling IPS on the correct gateway or cluster object ensures SmartConsole exposes the appropriate Threat Prevention controls and that policy installation targets the enforcement points. Reference topics: IPS Blade activation, Gateway object configuration, Threat Prevention policy installation, Cluster object management.

The correct answer is C. CIFS . Check Point Anti-Virus scans file-transfer and content-bearing protocols, not arbitrary management or terminal protocols. The official Anti-Virus settings documentation lists the protocols Anti-Virus can scan as Web HTTP/HTTPS , FTP , SMB , and Mail SMTP or POP3 , with additional support for IMAP and POP3.

CIFS is closely associated with Microsoft file sharing and the SMB protocol family. In the exam context, CIFS maps to the file-sharing traffic class that Anti-Virus can inspect through SMB scanning. This is why CIFS is the correct option. Remote Desktop is an interactive remote-control protocol, not a file-inspection protocol for Anti-Virus scanning in this question. SNMP is a monitoring and management protocol and does not normally carry files for malware inspection. Telnet is an interactive terminal protocol and is not an Anti-Virus file-scanning protocol. The certification distinction is that Anti-Virus inspection focuses on files and content objects crossing supported protocols, especially web downloads, FTP transfers, SMB/CIFS file access, and mail attachments. Reference topics: Anti-Virus Settings, protocol scanning, SMB/CIFS inspection, file-transfer inspection, Threat Prevention protected scope.

The correct answer is D. fwaccel dos rate . When IPS or other Threat Prevention inspection causes significant traffic to leave the fully accelerated SecureXL path and move to F2F, the gateway can experience higher CPU utilization because more packets require Firewall kernel processing. The fwaccel dos rate command belongs to SecureXL DoS and rate-limiting controls. Check Point’s Performance Tuning guide defines fwaccel dos rate and fwaccel6 dos rate as commands that show and install the Rate Limiting policy in SecureXL. It also notes that the feature is enabled by default without rules.

This makes it the correct command for enforcing traffic quotas or rate-limiting policy in the accelerated path. fw dos rate is not the correct Check Point syntax. fwaccel rate omits the DoS rate-limiting command hierarchy. fw ctl dos is also not the documented command for SecureXL rate policy installation. In operational performance tuning, fwaccel DoS rate controls are useful when the gateway must protect CPU resources from excessive connection rates, volumetric pressure, or inspection-heavy flows that can amplify the impact of Threat Prevention processing. Reference topics: SecureXL DoS Mitigation, Rate Limiting Policy, fwaccel dos rate, F2F path, IPS performance impact.

The correct answer is B. Rule Header and Rule Options . Check Point supports SNORT rule import so administrators can create custom IPS protections from SNORT signatures. The official Check Point SNORT Signature Support documentation states that SNORT rules use signatures to define attacks and that a SNORT rule has a rule header and rule options . It also provides the syntax structure, where the first section contains action, protocol, source, destination, ports, and direction, while the options section contains keywords such as message and content match criteria.

The Rule Header defines the traffic selector and enforcement context: protocol, source address, source port, direction, destination address, and destination port. The Rule Options define the detection logic and metadata inside parentheses, such as msg, content, and other matching keywords. “Rule body” is not the formal Check Point/SNORT term in this context, and “rule start/rule stop” is not a recognized logical construction. This matters because imported SNORT rules become IPS protections, so syntax correctness affects whether the Management Server can parse, import, and enforce the custom signature. Reference topics: SNORT Signature Support, Custom IPS Protections, Rule Header, Rule Options, imported SNORT protections.

The correct answer is C. Two hours . In R80.20 and later, Check Point supports direct scheduled updates from the Security Gateway for IPS protections, Anti-Virus, and Anti-Bot. The official Threat Prevention Scheduled Updates documentation states that IPS, Anti-Virus and Anti-Bot updates are performed every two hours by default . It also explains the R80.20 architectural change: before R80.20, IPS updates were downloaded to the Security Management Server and enforced by gateways after policy installation; starting from R80.20, gateways can directly download the updates.

The SMS/SG distinction matters operationally. In upgraded or mixed-version environments, scheduled update behavior can depend on whether the Management Server, Security Gateways, or both have been upgraded to R80.20 or higher. Gateways without Internet connectivity still require policy installation to enforce updates. The default interval tested here is the recurring update check for IPS protections in the R80.20+ scheduled-update model, and that interval is two hours. Six hours, twelve hours, and daily are not the documented default for IPS protections in this context. Daily applies to some Threat Emulation update components, not IPS protections. Reference topics: Threat Prevention Scheduled Updates, IPS protection updates, R80.20 direct gateway updates, Security Management Server update behavior, Security Gateway update interval.