156-590 Exam Dumps - Checkpoint CTPS Questions and Answers

The correct answer is B. Post-infection . Anti-Bot is the Threat Prevention blade focused on identifying and stopping bot-infected hosts after compromise indicators appear. Check Point documentation explicitly describes Anti-Bot as performing post-infection detection of bots on hosts and preventing bot damage by blocking command-and-control communications. The broader Threat Prevention guide also lists Anti-Bot as post-infection detection and explains that it uses ThreatCloud intelligence and multiple detection methods to identify bot activity.

This differs from IPS and Anti-Virus positioning. IPS and Anti-Virus are commonly understood as pre-infection controls because they attempt to block exploit traffic or malicious files before the host is compromised. Anti-Bot, by contrast, assumes the possibility that a host may already be infected and focuses on detecting outbound C & C communication, botnet behavior, malicious destinations, and other compromise evidence. Pre-inspection and post-inspection are not valid lifecycle categories for this blade in the exam context. In real operations, Anti-Bot is especially valuable for finding infected internal machines that bypassed earlier preventive controls or became infected off-network. Reference topics: Anti-Bot Software Blade, post-infection detection, Command and Control prevention, ThreatCloud intelligence, botnet behavior detection.

The correct answer is D. The IPS Blade must be activated on the individual Security Gateway object . Check Point Software Blades are enabled on the enforcement point that inspects traffic, which is the Security Gateway or Cluster object, not merely on the Management Server. The official Threat Prevention guide states that to enable IPS, the administrator opens the Security Gateway / Cluster object , goes to General Properties > Network Security , selects IPS , and follows the wizard. For IPS package installation, Check Point also documents the sequence: enable IPS in the Security Gateway object, enable IPS in the corresponding Threat Prevention policy, and install the Threat Prevention Policy.

Licensing alone is therefore insufficient; a license permits use, but blade activation defines whether the gateway enforces IPS inspection. Option A is wrong because enabling the blade on the Management Server object does not activate IPS enforcement on all managed gateways. Option C is also wrong in standard ClusterXL management because blades are configured on the Cluster object, not separately and inconsistently on individual members. Operationally, enabling IPS on the correct gateway or cluster object ensures SmartConsole exposes the appropriate Threat Prevention controls and that policy installation targets the enforcement points. Reference topics: IPS Blade activation, Gateway object configuration, Threat Prevention policy installation, Cluster object management.

The correct answer is D. IPS, Antivirus and Antibot . Threat Prevention updates can be scheduled automatically, but administrators can also manually trigger updates for the major signature/intelligence-driven Threat Prevention blades. Check Point’s scheduled-update documentation states that automatic gateway updates can be configured for Anti-Virus , Anti-Bot , Threat Emulation , and IPS blades. It also explains that Anti-Virus, Anti-Bot, and Threat Emulation gateways download updates directly from the Check Point cloud, while IPS update behavior changed from management-based enforcement before R80.20 to gateway direct download starting in R80.20.

In the exam context, the manually triggered signature-update set is IPS, Anti-Virus, and Anti-Bot. These blades depend heavily on continuously updated threat intelligence, signatures, malicious domains, command-and-control intelligence, malware classification, and IPS protection packages. Option B is too narrow because IPS is not the only manually updateable Threat Prevention component. Option C is incomplete because it omits Anti-Bot. Option A is not a valid update-set answer. Operationally, manual updates are used when an urgent threat advisory, lab recommendation, incident response condition, or failed scheduled update requires immediate refresh of protection data. Reference topics: Threat Prevention Updates, IPS Updates, Anti-Virus Updates, Anti-Bot Updates, scheduled and manual update workflow.

The correct answer is C. user:"John Doe" AND (action:drop OR action:reject OR action:block) . Check Point log-query syntax uses field-based filters in the form field:value , Boolean operators such as AND and OR , and parentheses to group multiple criteria. The official Query Language Overview states that the basic syntax is [Field:] < Filter Criterion > , and that Boolean operators can combine multiple filters. It also shows action filtering examples such as blade:"application control" AND action:block, and explains that multiple Boolean expressions can be grouped in parentheses.

Because the user name contains a space, the value must be enclosed in double quotation marks: user:"John Doe". Without quotes, the query parser treats the words as separate criteria, which makes option B incorrect. Option A uses a hyphenated value, which changes the user name. Option D uses single quotes, while Check Point examples and expected syntax use double quotes for phrase values. The action clause is correctly grouped with OR to match logs where the IPS-related enforcement action is drop, reject, or block. Reference topics: Logs & Monitor query language, field filters, quoted strings, Boolean operators, action filtering, IPS log investigation.

The correct answer is B. UserCheck . In SmartConsole, Custom Policy Tools are used to manage Threat Prevention policy objects and tuning components such as profiles, IPS protections, indicators, and protection categories. The official R81.20 guide shows Custom Policy Tools > Profiles for profile creation, editing, and cloning, and Custom Policy Tools > IPS Protections for managing IPS protection behavior. The same guide also shows Custom Policy Tools > Indicators as the location used to configure external IoC feeds.

Malicious Activity Detection is represented through Threat Prevention protection types: the Protections Browser displays protection types, and the guide states that Malicious Activity and Unusual Activity protection types contain lists of protections. UserCheck, however, is not itself a Custom Policy Tools setting. It is a user interaction and notification mechanism configured inside relevant blade/profile settings, such as Anti-Bot or Zero Phishing UserCheck messages. Therefore, among the choices, UserCheck is the item that does not belong as an available Custom Policy Tools setting. Reference topics: Custom Policy Tools, IPS Protections, Indicators, Threat Prevention Profiles, Protections Browser, UserCheck settings.

The correct answer is B. Exclusions . In Anti-Virus policy design, exclusions are used to remove selected traffic or file categories from Anti-Virus inspection when inspection is unnecessary, redundant, or too costly for the business flow. Check Point documentation states that Threat Prevention can be configured to exclude files from inspection , including examples such as internal emails and internal file transfers. The same section explains that these settings are based on interface type and traffic direction.

This directly aligns with the performance objective in the question: if the gateway does not inspect files that are already trusted, internal, or operationally low-risk, Anti-Virus consumes fewer CPU, memory, buffering, and content-inspection resources. Content Control is not the Anti-Virus bypass feature named in this context. Exceptions are policy-level constructs that can exclude traffic from Threat Prevention enforcement, but the question specifically asks for the feature that improves Anti-Virus performance by bypassing inspection of specific files, which is Exclusions . Bypass describes the effect, not the named feature. Reference topics: Anti-Virus Settings, Protected Scope, file inspection exclusions, interface direction, Threat Prevention performance optimization.

The correct current official-guide answer is A. Every two hours . Starting from R80.20, Check Point changed IPS update behavior so that gateways can directly download Threat Prevention updates instead of relying only on the Security Management Server and policy installation workflow. The official R80.20 SmartConsole Help states that, starting from R80.20, gateways can directly download updates, while gateways without Internet connectivity still require policy installation to enforce updates. The same official section states that IPS, Anti-Virus and Anti-Bot updates are performed every two hours by default .

This is the key distinction for R80.20 and later. Earlier operational models were more management-server centered, but R80.20+ supports gateway-side automatic update behavior. Every 24 hours is not the current documented default for IPS, Anti-Virus, and Anti-Bot updates in this R80.20+ context. Threat Emulation engine and image updates have separate daily default schedules, which can create confusion if update types are mixed together. Option C and D are also incorrect because the official default is neither hourly nor every four hours. Reference topics: Threat Prevention Scheduled Updates, R80.20 gateway direct updates, IPS update frequency, Anti-Virus and Anti-Bot updates, policy installation for offline gateways.

The correct answer is C. Install the Threat Prevention Policy . IPS Core Protections are part of the Threat Prevention policy domain, so changing them in SmartConsole is not enough by itself. The updated configuration must be compiled and installed to the relevant Security Gateways through the Threat Prevention Policy installation process. Check Point’s IPS Protections documentation shows the workflow for editing core protections: go to Security Policies > Threat Prevention > Custom Policy Tools > IPS Protections , filter for Type Core , edit the required core protection settings, and then Install the Threat Prevention policy .

This directly eliminates the other options. The setting is not immediately active because gateways enforce installed policy, not merely edited management configuration. Install Database updates the management database but does not push enforcement logic to the Security Gateway. Install Access Control Policy applies firewall/access-layer logic, but IPS Core Protections belong to the Threat Prevention policy. In operational terms, this separation allows administrators to install Threat Prevention changes without necessarily reinstalling Access Control, reducing disruption and keeping blade changes scoped to the correct policy package. Reference topics: IPS Protections, Core IPS Protections, Custom Policy Tools, Threat Prevention Policy installation, enforcement lifecycle.

The correct answer is B. Forensics . In Threat Prevention policy tracking, Forensics is the tracking option intended to enrich Threat Prevention logs with additional investigation data. Check Point documentation states that the Forensics option adds fields to the Threat Prevention logs , and that this extra information provides a deeper understanding of an attack. The Monitoring Threat Prevention section further explains that Advanced Forensics Details can appear in logs for supported protocols such as DNS, FTP, SMTP, HTTP, and HTTPS, and that this additional information is used by Check Point researchers to analyze attacks.

This is why Forensics is the correct TAC-oriented tracking choice. Alert is a notification-style tracking action, not a deep forensic enrichment mechanism. SNMP sends a management notification, and User Defined invokes administrator-defined alert handling rather than supplying advanced attack-analysis fields. In operational troubleshooting, Forensics is valuable because it preserves richer evidence around the inspected connection, affected blade, protocol behavior, and detection context. Reference topics: Threat Prevention Policy Track Options, Advanced Forensics Details, Logs & Monitor, TAC escalation analysis.

The correct answer is D. The Threat Prevention Policy is only applied after traffic is accepted by Access Control Policy . Threat Prevention is a follow-up inspection framework for traffic that has already passed the access decision. The Access Control policy determines whether a connection is allowed, rejected, or dropped. Only traffic that is allowed by Access Control can proceed into Threat Prevention evaluation for IPS, Anti-Bot, Anti-Virus, Threat Emulation, and related blades. Check Point’s policy workflow separates Access Control and Threat Prevention, and the Threat Prevention guide describes the Threat Prevention rulebase as the policy used to activate needed protections and prevent attacks against accepted traffic flows.

Options B and C are incorrect because Threat Prevention does not resurrect or override a connection that Access Control has already dropped or rejected. The inspection chain is sequential from an enforcement perspective: blocked traffic does not continue to malware or IPS inspection as an accepted connection. Option A is also incorrect because a gateway is assigned policy through its policy package and Threat Prevention policy structure, not by stacking multiple independent Threat Prevention policies on the same target as competing enforcement policies. Reference topics: Threat Prevention Policy workflow, Access Control then Threat Prevention sequence, policy package enforcement, accepted-traffic inspection.