156-590 Exam Dumps - Checkpoint CTPS Questions and Answers

The correct answer is B. Removes all Administrator overrides . Profile Cleanup is a Threat Prevention profile hygiene tool used mainly in IPS protection management. When administrators manually override protections during tuning, exception handling, false-positive analysis, emergency hardening, or staged deployment, those manual changes can accumulate and cause the profile to deviate from its intended design. Check Point’s IPS Protections documentation states that the Profile Cleanup window lets the administrator select actions such as Remove all user modified and Clear all staging , then install the Threat Prevention Policy.

This directly maps to removing administrator overrides. The option does not automatically set all protections to Detect only; Detect is an action used in specific protection or staging contexts, not the purpose of Profile Cleanup. It also does not delete exemptions, because exception rules are separate policy constructs. It does not repair or remove corrupt updates; IPS update package handling is managed through the update and revert workflow. Profile Cleanup is best understood as a reset mechanism: it clears manual activation or staging deviations so the profile can return to its baseline activation policy and blade settings. Reference topics: IPS Protections, Profile Cleanup, Remove all user modified, Clear all staging, Threat Prevention Policy installation.

The correct answer is C. External . Anti-Virus protected scope settings define which traffic direction and interface types are sent for file inspection. Check Point explains that these settings are based on interface type, such as internal or external, and traffic direction, such as incoming or outgoing. In the Anti-Virus Protected Scope section, Check Point defines the option Inspect incoming files from and lists interface choices including External , External and DMZ , and All . The External choice means the gateway inspects incoming files from external interfaces, while files from DMZ and internal interfaces are not inspected.

The default exam answer is therefore External: the baseline Anti-Virus behavior focuses on inbound files arriving from untrusted external interfaces, which is the most common malware-introduction path for perimeter deployments. Option A is too narrow because DMZ alone would ignore Internet-to-user inbound exposure. Option B expands inspection to DMZ traffic, which is valid as a configuration choice but not the default answer. Option D is broader still and increases inspection coverage and resource use, but it is not the default protected-scope setting in this question. Reference topics: Anti-Virus Settings, Protected Scope, interface topology, incoming file inspection, External interface classification.

The correct answer is C. MITRE Corporation . CVE, or Common Vulnerabilities and Exposures, is the standardized naming system used across security vendors, vulnerability databases, IPS signatures, advisories, scanners, and remediation programs. In a Check Point Threat Prevention context, CVE identifiers are important because IPS protections frequently map detections and exploit protections to known vulnerabilities. This allows administrators to correlate a Check Point IPS protection with vendor advisories, exposure management, patching, and risk prioritization. The official CVE site describes CVE as an authoritative reference method for publicly known information-security vulnerabilities and exposures. MITRE documentation states that The MITRE Corporation maintains CVE and its public website , manages compatibility, and provides technical guidance to the CVE Editorial Board.

The distractors represent related but distinct roles. DHS/CISA has historically sponsored or funded the program, but sponsorship is not ownership and maintenance of the CVE list itself. NIST maintains the National Vulnerability Database, which enriches CVE data with scoring and analysis, but NVD is downstream from CVE identifiers. Check Point consumes CVE intelligence through IPS and ThreatCloud-driven protections; it does not own the CVE program. Reference topics: IPS vulnerability mapping, CVE-based protection metadata, threat intelligence normalization, vulnerability-to-protection correlation.

The correct answer is B. Next Generation Full Protection . Check Point’s documented security subscription package families include NGFW , NGTP , and SNBT/SandBlast . Check Point’s 3600 Security Gateway datasheet explicitly lists NGFW , NGTP , and SNBT (SandBlast) as all-inclusive security package columns. The Network Security Software Bundles datasheet also presents the same package structure: NGFW as the base Next Generation Firewall bundle, NGTP as the Next-Gen Threat Prevention package, and SNBT as the SandBlast package that includes NGTP and adds zero-day protection capabilities.

Therefore, Next Generation Firewall , Next Generation Threat Prevention , and SandBlast are valid Check Point blade bundle names in this context. Next Generation Full Protection is not the documented bundle name. It may sound plausible because it describes a comprehensive security posture, but certification questions require exact product and package terminology. In Check Point licensing and subscription design, using the correct bundle name matters because each package maps to a defined set of Software Blades and subscription entitlements. NGFW provides the base firewall/IPS access-control package, NGTP adds known-threat prevention, and SNBT adds advanced SandBlast zero-day protections such as Threat Emulation, Threat Extraction, and Zero Phishing. Reference topics: Check Point Software Blade bundles, NGFW, NGTP, SNBT/SandBlast, package entitlement mapping.

The correct official-guide answer is B. Install the Threat Prevention Policy . IPS protections can be updated manually or by schedule, and Check Point documentation states that IPS can be updated with real-time information on attacks and the latest protections. However, the same official section explicitly notes that to enforce the IPS updates, you must install the Threat Prevention Policy . The documented update procedure also ends with installing the Threat Prevention Policy after selecting the IPS update method.

This distinction is important: downloading or updating the IPS package makes the updated protections available to management and policy logic, but enforcement on Security Gateways depends on policy installation. “Install Database” is not the correct enforcement step for gateway inspection. Installing the Access Control Policy is also incorrect because IPS ThreatCloud protections are part of the Threat Prevention policy framework, not the Access Control rulebase. The statement that changes are immediately active is not the current official behavior for enforcing IPS updates on gateways. In production operations, scheduled IPS updates may be paired with automatic Threat Prevention policy installation, but that still confirms the requirement: the policy must be installed for enforcement. Reference topics: Updating IPS Protections, Threat Prevention Policy installation, IPS update enforcement, scheduled updates.

The correct answer is B. You have to re-install the Threat Prevention policy . Threat Prevention exceptions are policy constructs, so they must be compiled and installed to the relevant Security Gateways before they affect enforcement. Check Point documentation for creating IPS exceptions shows the workflow: create or configure the exception rule, click OK, and then Install Policy . The Custom Threat Prevention guide also explains that Threat Prevention blades have a dedicated Threat Prevention policy and that this policy can be installed separately from Access Control. It explicitly recommends installing only the Threat Prevention policy to minimize performance impact on Security Gateways.

This is why Install Database is not sufficient. Install Database updates management-side objects and databases, but it does not enforce a new Threat Prevention exception on gateways. Installing Access Control policy is also the wrong policy domain because Anti-Virus, Anti-Bot, IPS, Threat Emulation, and Threat Extraction exceptions belong to Threat Prevention. The change is not immediately active because Security Gateways enforce compiled policy, not unpublished or uninstalled SmartConsole changes. Reference topics: Threat Prevention Exceptions, IPS Exceptions, policy installation targets, dedicated Threat Prevention policy, exception enforcement lifecycle.

The correct answer is D. Communicate forensics data collected to Government Agencies . The Forensics tracking option exists to enrich Threat Prevention logs with deeper technical context for analysis and troubleshooting. Check Point documentation states that the Forensics option adds fields to Threat Prevention logs and that the additional information gives a deeper understanding of an attack. The Monitoring Threat Prevention guidance also explains that Advanced Forensics Details can include protocol-specific details for DNS, FTP, SMTP, HTTP, and HTTPS, and that this information is used by Check Point researchers to analyze attacks.

The purpose is security analysis, incident investigation, and support-quality evidence collection, not government reporting. Options A and B accurately describe the function of Forensics tracking. Option C reflects the broader idea that forensic and diagnostic details may include gateway-related technical data for Check Point analysis, depending on configuration and feature behavior. Option D is the false statement because Check Point Threat Prevention Forensics is not defined as a mechanism for transmitting collected forensic data to government agencies. In production, enabling Forensics should be treated as a deliberate logging and privacy decision because it may add protocol and transaction context to logs. Reference topics: Threat Prevention Track Options, Forensics tracking, Advanced Forensics Details, Logs & Monitor, attack analysis.

The correct answer is B. Traffic is matched against all applicable layers at the same time . Threat Prevention policy evaluation is not best described as a flat simultaneous match against all applicable layers. Check Point documentation explains that Threat Prevention Policy Layers are Ordered Layers , and that each ordered layer calculates its action separately from the other layers. In a single-layer policy package, the enforced rule is the first matched rule. In multiple-layer policy behavior, matching and enforcement are determined by the layer calculations and the applicable action logic, rather than by one undifferentiated simultaneous match model.

Option A is true because Threat Prevention inspection is applied after the Access Control policy allows the connection; traffic dropped or rejected by Access Control does not proceed to Threat Prevention enforcement. Option C is true for a single Threat Prevention layer because the first matching rule is enforced. Option D is also true because Threat Prevention uses ordered policy-layer behavior. The false statement is therefore option B. Reference topics: Threat Prevention Policy, Ordered Layers, first-match rule behavior, Access Control before Threat Prevention, multi-layer enforcement logic.

The correct answer is B. The Security Gateway sends a packet capture file along with the log file. The former can be analyzed with an external tool, such as Wireshark . Packet Capture is a tracking enhancement used when logs alone are not enough to understand the traffic that triggered a security event. Check Point documentation explains that Packet Capture lets administrators capture network traffic and that the packet-capture content provides greater insight into the traffic that generated the log. When this feature is activated, the Security Gateway sends a packet-capture file with the log to the Log Server.

This is especially useful for IPS and Threat Prevention troubleshooting because analysts can inspect payload structure, headers, protocol behavior, retransmissions, and exact traffic context behind a prevention or detection event. Packet captures can then be opened in external protocol-analysis tools such as Wireshark for deeper investigation. Option A is incorrect because Packet Capture is not specifically an XDR visualization feature. Option C is unrelated to tracking and describes a timeout-style behavior. Option D describes threshold/reset logic, not packet evidence collection. Reference topics: Packet Capture Track option, Logs & Monitor, Threat Prevention event analysis, IPS troubleshooting, packet-level evidence.

The correct answer is B. Rule Header and Rule Options . Check Point supports SNORT rule import so administrators can create custom IPS protections from SNORT signatures. The official Check Point SNORT Signature Support documentation states that SNORT rules use signatures to define attacks and that a SNORT rule has a rule header and rule options . It also provides the syntax structure, where the first section contains action, protocol, source, destination, ports, and direction, while the options section contains keywords such as message and content match criteria.

The Rule Header defines the traffic selector and enforcement context: protocol, source address, source port, direction, destination address, and destination port. The Rule Options define the detection logic and metadata inside parentheses, such as msg, content, and other matching keywords. “Rule body” is not the formal Check Point/SNORT term in this context, and “rule start/rule stop” is not a recognized logical construction. This matters because imported SNORT rules become IPS protections, so syntax correctness affects whether the Management Server can parse, import, and enforce the custom signature. Reference topics: SNORT Signature Support, Custom IPS Protections, Rule Header, Rule Options, imported SNORT protections.