156-590 Check Point Certified Threat Prevention Specialist (CTPS) Question and Answers

The correct answer is C. user:"John Doe" AND (action:drop OR action:reject OR action:block) . Check Point log-query syntax uses field-based filters in the form field:value , Boolean operators such as AND and OR , and parentheses to group multiple criteria. The official Query Language Overview states that the basic syntax is [Field:] < Filter Criterion > , and that Boolean operators can combine multiple filters. It also shows action filtering examples such as blade:"application control" AND action:block, and explains that multiple Boolean expressions can be grouped in parentheses.

Because the user name contains a space, the value must be enclosed in double quotation marks: user:"John Doe". Without quotes, the query parser treats the words as separate criteria, which makes option B incorrect. Option A uses a hyphenated value, which changes the user name. Option D uses single quotes, while Check Point examples and expected syntax use double quotes for phrase values. The action clause is correctly grouped with OR to match logs where the IPS-related enforcement action is drop, reject, or block. Reference topics: Logs & Monitor query language, field filters, quoted strings, Boolean operators, action filtering, IPS log investigation.

The correct answer is D. The rule is contained on a single line. There are two logical sections: Rule Header and Rule Options . SNORT signatures are supported in Check Point Threat Prevention as custom IPS-style protections, and their structure follows the standard SNORT rule model. Official Snort documentation states that the rule header includes the text before the first parenthesis, while the body contains the rule options between parentheses. It also shows a complete rule with header and option definitions. The classic Snort rule reference describes the two logical sections as the rule header and rule options .

In the exam wording, the expected construction is a single-line rule composed of these two logical sections. The header defines the coarse traffic selector and action, such as alert/drop, protocol, source, destination, ports, and direction. The options define the detailed detection logic, such as message, content match, flow, metadata, and signature identifier. “Payload” is not the correct formal name for the second logical section, which eliminates options A and C. Option B uses the correct logical sections but incorrectly states that the rule is contained on two lines. Reference topics: SNORT Signature Support, custom IPS protections, Rule Header, Rule Options, signature syntax.

The correct answer is D. Newly created domains . DGA means Domain Generation Algorithm , a technique used by malware to algorithmically create large numbers of domain names for command-and-control communication. Instead of hardcoding one static C2 domain, a bot can generate many possible domains over time, making takedown and static blocking much harder. Check Point’s Network Security Software Bundles datasheet states that Check Point AI Deep Learning blocks the latest DNS attacks, including Tunneling and Domain Generation Algorithm/DGA , and specifically blocks connections to the newest generation of malicious domains created via DGA.

This explains why the correct exam option is “newly created domains.” Known malicious IP blocking is a reputation and IP intelligence function, but it is not the specific purpose of DGA protection. Infected URLs and infected files are handled by URL reputation, Anti-Virus, Threat Emulation, and related Threat Prevention functions. DGA protection focuses on DNS-layer behavior and suspicious or algorithmically generated domain use, especially when malware attempts to contact rotating or recently generated domains for C2, payload retrieval, or data exfiltration. In operational terms, DGA protection is part of Anti-Bot and Advanced DNS defense, helping detect compromised hosts even when the malware infrastructure changes rapidly. Reference topics: ThreatCloud, DGA Protection, Advanced DNS, Anti-Bot, DNS C2 prevention.

The correct answer is D. Basic, Optimized, Strict . Check Point supplies out-of-the-box Threat Prevention profiles to give administrators predefined security/performance baselines. The official Threat Prevention Profiles section states that administrators can clone a selected profile but cannot change the out-of-the-box profiles: Basic, Optimized, and Strict .

These profiles represent different operating postures. Basic is designed for reliable protection with lower performance impact. Optimized is the default-style balanced approach, providing strong protection for common products and protocols while preserving gateway performance. Strict provides wider coverage and more aggressive protection selection, but can increase inspection cost and may require closer tuning. The other answer choices describe architectural traffic directions or deployment zones, not the official preconfigured profile names. “Perimeter,” “Datacenter,” and “East-West” are useful design concepts, especially in modern segmentation and Autonomous Threat Prevention discussions, but they are not the three preconfigured Custom Threat Prevention profiles in this question. From a certification perspective, the distinction matters because profiles are selected as the Action in Threat Prevention rules and determine which protections and blades are active. Reference topics: Threat Prevention Profiles, out-of-the-box profiles, Basic profile, Optimized profile, Strict profile, profile cloning.

The correct answer is C. ThreatCloud DNS Tunneling Protection . Check Point R81.20 introduced major Advanced Threat Prevention enhancements, including AI Deep Learning improvements for DNS attacks. The R81.20 Release Notes state that AI Deep Learning prevents more DNS attacks in real time and specifically reference ThreatCloud DNS tunneling protection as part of the DNS Security enhancements.

DNS tunneling protection is distinct from Malware DNS Trap. Malware DNS Trap returns a false or bogus IP address for known malicious hosts and domains, and it can help identify compromised clients by observing connection attempts to the false trap address. That mechanism is represented by option A/B, but it is not the R81.20-introduced DNS protection being tested here. ThreatCloud DNS Tunneling Protection targets a different technique: abuse of DNS as a covert channel for command-and-control, data exfiltration, or tunneling traffic through recursive DNS infrastructure. Option D is unrelated to Check Point DNS Threat Prevention architecture. Reference topics: R81.20 Advanced Threat Prevention, DNS Security, ThreatCloud DNS Tunneling Protection, Malware DNS Trap, Anti-Bot and Anti-Virus DNS protections.

The correct answer is D. Only a subset of file types supported . In Check Point traffic inspection architecture, Passive Streaming and Active Streaming are stream-handling mechanisms used by content-inspection components. Passive Streaming allows inspection of traffic as a stream is observed, while Active Streaming is more intrusive because the gateway can actively participate in traffic handling, buffering, or modification. In Anti-Virus inspection, this distinction matters because file classification and supported file handling depend on the inspection mechanism and file-type processing model. Check Point’s Anti-Virus settings expose file-type controls, including processing file-type families and configuring actions per file type. Check Point’s Security Gateway documentation also identifies CPAS as Check Point Active Streaming and PSL as Passive Streaming Layer, with MUX selecting between passive and active streaming for application traffic.

The exam distinction is that Active Streaming does not provide unrestricted Anti-Virus inspection coverage across every possible file type; its limitation is that only a subset of file types is supported. Option A is wrong because Anti-Virus inspection is not limited to scheduled scans. Option B is not the distinct comparative limitation in this context. Option C is incorrect because there is a documented architectural distinction between the two streaming approaches. Reference topics: CPAS, PSL, MUX, Anti-Virus file-type processing, content inspection architecture.

The correct answer is D. fwaccel dos rate . When IPS or other Threat Prevention inspection causes significant traffic to leave the fully accelerated SecureXL path and move to F2F, the gateway can experience higher CPU utilization because more packets require Firewall kernel processing. The fwaccel dos rate command belongs to SecureXL DoS and rate-limiting controls. Check Point’s Performance Tuning guide defines fwaccel dos rate and fwaccel6 dos rate as commands that show and install the Rate Limiting policy in SecureXL. It also notes that the feature is enabled by default without rules.

This makes it the correct command for enforcing traffic quotas or rate-limiting policy in the accelerated path. fw dos rate is not the correct Check Point syntax. fwaccel rate omits the DoS rate-limiting command hierarchy. fw ctl dos is also not the documented command for SecureXL rate policy installation. In operational performance tuning, fwaccel DoS rate controls are useful when the gateway must protect CPU resources from excessive connection rates, volumetric pressure, or inspection-heavy flows that can amplify the impact of Threat Prevention processing. Reference topics: SecureXL DoS Mitigation, Rate Limiting Policy, fwaccel dos rate, F2F path, IPS performance impact.

The correct answer is B. Traffic is matched against all applicable layers at the same time . Threat Prevention policy evaluation is not best described as a flat simultaneous match against all applicable layers. Check Point documentation explains that Threat Prevention Policy Layers are Ordered Layers , and that each ordered layer calculates its action separately from the other layers. In a single-layer policy package, the enforced rule is the first matched rule. In multiple-layer policy behavior, matching and enforcement are determined by the layer calculations and the applicable action logic, rather than by one undifferentiated simultaneous match model.

Option A is true because Threat Prevention inspection is applied after the Access Control policy allows the connection; traffic dropped or rejected by Access Control does not proceed to Threat Prevention enforcement. Option C is true for a single Threat Prevention layer because the first matching rule is enforced. Option D is also true because Threat Prevention uses ordered policy-layer behavior. The false statement is therefore option B. Reference topics: Threat Prevention Policy, Ordered Layers, first-match rule behavior, Access Control before Threat Prevention, multi-layer enforcement logic.

The correct answer is C. Install the Threat Prevention Policy . IPS Core Protections are part of the Threat Prevention policy domain, so changing them in SmartConsole is not enough by itself. The updated configuration must be compiled and installed to the relevant Security Gateways through the Threat Prevention Policy installation process. Check Point’s IPS Protections documentation shows the workflow for editing core protections: go to Security Policies > Threat Prevention > Custom Policy Tools > IPS Protections , filter for Type Core , edit the required core protection settings, and then Install the Threat Prevention policy .

This directly eliminates the other options. The setting is not immediately active because gateways enforce installed policy, not merely edited management configuration. Install Database updates the management database but does not push enforcement logic to the Security Gateway. Install Access Control Policy applies firewall/access-layer logic, but IPS Core Protections belong to the Threat Prevention policy. In operational terms, this separation allows administrators to install Threat Prevention changes without necessarily reinstalling Access Control, reducing disruption and keeping blade changes scoped to the correct policy package. Reference topics: IPS Protections, Core IPS Protections, Custom Policy Tools, Threat Prevention Policy installation, enforcement lifecycle.

The correct answer is B. UserCheck . In SmartConsole, Custom Policy Tools are used to manage Threat Prevention policy objects and tuning components such as profiles, IPS protections, indicators, and protection categories. The official R81.20 guide shows Custom Policy Tools > Profiles for profile creation, editing, and cloning, and Custom Policy Tools > IPS Protections for managing IPS protection behavior. The same guide also shows Custom Policy Tools > Indicators as the location used to configure external IoC feeds.

Malicious Activity Detection is represented through Threat Prevention protection types: the Protections Browser displays protection types, and the guide states that Malicious Activity and Unusual Activity protection types contain lists of protections. UserCheck, however, is not itself a Custom Policy Tools setting. It is a user interaction and notification mechanism configured inside relevant blade/profile settings, such as Anti-Bot or Zero Phishing UserCheck messages. Therefore, among the choices, UserCheck is the item that does not belong as an available Custom Policy Tools setting. Reference topics: Custom Policy Tools, IPS Protections, Indicators, Threat Prevention Profiles, Protections Browser, UserCheck settings.

The correct answer is B. Intrusion Prevention System . In Check Point terminology, IPS is the Software Blade responsible for inspecting and analyzing packets and data for numerous risk types. The official Check Point Threat Prevention documentation identifies IPS as Intrusion Prevention System and describes IPS protections as part of the Threat Prevention Software Blade framework.

IPS is more than a simple signature engine. It provides vulnerability-oriented and exploit-oriented protections, including protections mapped to CVEs, protocol anomalies, command injection patterns, server-side attacks, client-side attacks, and other known or unknown exploitation behaviors. Check Point also describes IPS as delivering proactive intrusion prevention with thousands of signatures, behavioral protections, and preemptive protections, adding another layer of security above firewall enforcement.

The incorrect options misuse the term “Invasion” or replace “System” with “Software.” Although IPS is implemented as a Check Point Software Blade, the acronym itself expands to Intrusion Prevention System . In policy design, IPS is treated as a pre-infection prevention capability that stops exploitation before compromise, rather than as a post-infection malware-detection control. Reference topics: IPS Software Blade, Intrusion Prevention System definition, IPS protections, CVE-based protections, proactive intrusion prevention.

The correct answer is B. Pre-infection . IPS is categorized as a pre-infection Threat Prevention blade because its primary role is to stop exploitation attempts before the protected host becomes compromised. Check Point’s Threat Prevention guide describes IPS as protection against malicious and unwanted network traffic, focusing on application and server vulnerabilities, in-the-wild attacks, exploit kits, and malicious attackers. The same guide distinguishes Anti-Bot & Advanced DNS as post-infection detection of bots on hosts, while Anti-Virus is described as pre-infection detection and blocking of malware at the gateway.

IPS belongs in the pre-infection stage because it prevents the exploit chain from succeeding. It inspects network traffic for vulnerability exploitation, protocol abuse, malformed payloads, known CVE exploitation attempts, server attacks, client attacks, and suspicious patterns that could lead to compromise. “Preventative” is broadly true as an English description, but it is not the specific Check Point lifecycle classification tested here. “Inline” describes where a security function may sit in traffic flow, not the infection-stage category. “Post-infection” is associated with Anti-Bot, which detects and blocks command-and-control communications after a host shows signs of compromise. Reference topics: IPS Software Blade, pre-infection prevention, exploit protection, Threat Prevention architecture, Anti-Bot post-infection contrast.

The correct answer is A. Infected host identification . Malware DNS Trap is designed to help identify compromised clients by redirecting malicious DNS resolution to a controlled false IP address and then observing which internal hosts attempt to connect to that trap address. Check Point’s R81.20 Threat Prevention guide states that Malware DNS Trap can be used to detect compromised clients by checking logs with connection attempts to the false IP address. It also notes that internal DNS servers can be added to better identify the origin of malicious DNS requests.

This makes the primary operational benefit host attribution. While DNS security can block or prevent malicious DNS-related activity, DNS Trap’s distinctive value is showing which internal endpoint is likely infected or attempting malicious communication. Option B is more aligned with URL Filtering or URL reputation, not DNS Trap. Option C describes a blocking outcome, but it misses the key trap mechanism and attribution purpose. Option D is incorrect because the usual DNS Trap use case concerns internal clients generating suspicious outbound DNS or follow-up connections, not inbound malicious DNS queries. Reference topics: Malware DNS Trap, Anti-Bot & Advanced DNS, false IP address, compromised-client detection, infected-host investigation.

The correct answer is D. Ordered . Threat Prevention policy uses ordered policy layers. Check Point documentation states that you can create a Threat Prevention Rule Base with multiple Ordered Layers , and that Ordered Layers help organize the Rule Base according to organizational needs, such as services or networks. Each Policy Layer calculates its action separately from other layers, and when there is one layer in the policy package, the first matched rule is enforced.

This is a core certification distinction. Access Control can use ordered and inline layers, but Threat Prevention is treated as an ordered layer policy model. The policy evaluates rules in order and applies the appropriate Threat Prevention profile, blades, protection behavior, and tracking according to rule matching. Option C describes when Threat Prevention is applied in the traffic flow—after Access Control accepts the connection—but it does not answer the question about the layer type. Option A is incorrect because Threat Prevention is not both ordered and inline in this context. Option B is incorrect because inline layers are not the Threat Prevention layer type being tested here. Reference topics: Threat Prevention Policy Layers, Ordered Layers, first-match behavior, policy-layer calculation, Threat Prevention Rule Base.

The correct answer is B. Forensics . In Threat Prevention policy tracking, Forensics is the tracking option intended to enrich Threat Prevention logs with additional investigation data. Check Point documentation states that the Forensics option adds fields to the Threat Prevention logs , and that this extra information provides a deeper understanding of an attack. The Monitoring Threat Prevention section further explains that Advanced Forensics Details can appear in logs for supported protocols such as DNS, FTP, SMTP, HTTP, and HTTPS, and that this additional information is used by Check Point researchers to analyze attacks.

This is why Forensics is the correct TAC-oriented tracking choice. Alert is a notification-style tracking action, not a deep forensic enrichment mechanism. SNMP sends a management notification, and User Defined invokes administrator-defined alert handling rather than supplying advanced attack-analysis fields. In operational troubleshooting, Forensics is valuable because it preserves richer evidence around the inspected connection, affected blade, protocol behavior, and detection context. Reference topics: Threat Prevention Policy Track Options, Advanced Forensics Details, Logs & Monitor, TAC escalation analysis.

The correct answer is C. MITRE Corporation . CVE, or Common Vulnerabilities and Exposures, is the standardized naming system used across security vendors, vulnerability databases, IPS signatures, advisories, scanners, and remediation programs. In a Check Point Threat Prevention context, CVE identifiers are important because IPS protections frequently map detections and exploit protections to known vulnerabilities. This allows administrators to correlate a Check Point IPS protection with vendor advisories, exposure management, patching, and risk prioritization. The official CVE site describes CVE as an authoritative reference method for publicly known information-security vulnerabilities and exposures. MITRE documentation states that The MITRE Corporation maintains CVE and its public website , manages compatibility, and provides technical guidance to the CVE Editorial Board.

The distractors represent related but distinct roles. DHS/CISA has historically sponsored or funded the program, but sponsorship is not ownership and maintenance of the CVE list itself. NIST maintains the National Vulnerability Database, which enriches CVE data with scoring and analysis, but NVD is downstream from CVE identifiers. Check Point consumes CVE intelligence through IPS and ThreatCloud-driven protections; it does not own the CVE program. Reference topics: IPS vulnerability mapping, CVE-based protection metadata, threat intelligence normalization, vulnerability-to-protection correlation.

The correct answer is B. fail-close . Fail mode defines how the Threat Prevention inspection engine behaves when it is overloaded or experiences an internal failure. Check Point’s Threat Prevention Engine Settings documentation defines two options: Allow all connections (Fail-open) and Block all connections (Fail-close) . Fail-open allows connections when the engine is overloaded or fails; Fail-close blocks connections in that condition.

Because the question specifically says Mike wants to block all files if an internal failure occurs, the secure choice is fail-close. This prioritizes protection and containment over availability. It is appropriate where allowing unscanned files would be unacceptable, such as highly regulated environments, malware-sensitive segments, or traffic paths carrying untrusted downloads. The tradeoff is operational: fail-close can interrupt business traffic if the inspection engine is unavailable, overloaded, or unable to complete the decision. Fail-open is the default availability-oriented behavior because it keeps traffic moving during failure, but it permits files or connections that may not have completed inspection. “Open system” and “closed system” are not the correct Check Point Threat Prevention fail-mode terms in this context. Reference topics: Threat Prevention Engine Settings, ThreatSpect fail mode, fail-open, fail-close, inspection failure handling.

The correct answer is C. Accept . Threat Prevention is applied only to traffic that has already been accepted by the Access Control policy, and then the Threat Prevention rulebase determines which protection profile, blade behavior, and tracking settings apply. When traffic does not match a Threat Prevention rule, no Threat Prevention profile is selected for that connection, so the traffic is not blocked by Threat Prevention simply because of a non-match. Check Point documentation explains that Threat Prevention policy layers calculate their actions according to rule matching, and in a single-layer policy the enforced rule is the first matched rule.

This distinction is critical for certification and real operations. Threat Prevention is not a replacement for the Access Control decision; it is a follow-up inspection layer for already accepted traffic. A non-match in Threat Prevention means the traffic is outside the configured protected scope or rule conditions, so the Threat Prevention engine does not apply a prevent/drop/reject action to it. Reject and Drop are enforcement outcomes for matched malicious or blocked traffic, not for unmatched Threat Prevention traffic. Detect is a logging/enforcement mode for matched protections, not the default result of no rule match. Reference topics: Threat Prevention Policy, ordered layer behavior, protected scope, first-match rule logic, unmatched traffic handling.

The correct answer is A. Block List files - Configure disallowed files . Custom Policy Tools are used to manage Threat Prevention objects and enforcement helpers under the Threat Prevention policy view. A Block List file is used to define files that should be treated as disallowed, blocked, or explicitly malicious/undesired according to the policy objective. This is the opposite of the Allow List, which Check Point documents as a list of trusted files that the Threat Prevention engine does not inspect for malware, viruses, and bots, helping reduce gateway resource utilization. The official guide shows Allow List Files under Threat Prevention > Custom Policy Tools > Allow List Files .

Option A is therefore the correct true statement because it accurately describes the role of block-list file handling. Option B sounds plausible but is not the tested correct statement in this question’s answer key; the course item is specifically validating the Block List definition. Option C is incorrect because indicators are not “benign activity”; indicators usually represent observables such as IPs, domains, URLs, or hashes used for threat intelligence or enforcement. Option D is incorrect because profiles are not only available for Autonomous Threat Prevention; Custom Threat Prevention also uses profiles such as Basic, Optimized, and Strict. Reference topics: Custom Policy Tools, Block List Files, Allow List Files, Indicators, Threat Prevention Profiles.