Free and Premium Checkpoint 156-590 Dumps Questions Answers

The correct answer is D. IPS, Antivirus and Antibot . Threat Prevention updates can be scheduled automatically, but administrators can also manually trigger updates for the major signature/intelligence-driven Threat Prevention blades. Check Point’s scheduled-update documentation states that automatic gateway updates can be configured for Anti-Virus , Anti-Bot , Threat Emulation , and IPS blades. It also explains that Anti-Virus, Anti-Bot, and Threat Emulation gateways download updates directly from the Check Point cloud, while IPS update behavior changed from management-based enforcement before R80.20 to gateway direct download starting in R80.20.

In the exam context, the manually triggered signature-update set is IPS, Anti-Virus, and Anti-Bot. These blades depend heavily on continuously updated threat intelligence, signatures, malicious domains, command-and-control intelligence, malware classification, and IPS protection packages. Option B is too narrow because IPS is not the only manually updateable Threat Prevention component. Option C is incomplete because it omits Anti-Bot. Option A is not a valid update-set answer. Operationally, manual updates are used when an urgent threat advisory, lab recommendation, incident response condition, or failed scheduled update requires immediate refresh of protection data. Reference topics: Threat Prevention Updates, IPS Updates, Anti-Virus Updates, Anti-Bot Updates, scheduled and manual update workflow.

The correct answer is B. You have to re-install the Threat Prevention policy . Threat Prevention exceptions are policy constructs, so they must be compiled and installed to the relevant Security Gateways before they affect enforcement. Check Point documentation for creating IPS exceptions shows the workflow: create or configure the exception rule, click OK, and then Install Policy . The Custom Threat Prevention guide also explains that Threat Prevention blades have a dedicated Threat Prevention policy and that this policy can be installed separately from Access Control. It explicitly recommends installing only the Threat Prevention policy to minimize performance impact on Security Gateways.

This is why Install Database is not sufficient. Install Database updates management-side objects and databases, but it does not enforce a new Threat Prevention exception on gateways. Installing Access Control policy is also the wrong policy domain because Anti-Virus, Anti-Bot, IPS, Threat Emulation, and Threat Extraction exceptions belong to Threat Prevention. The change is not immediately active because Security Gateways enforce compiled policy, not unpublished or uninstalled SmartConsole changes. Reference topics: Threat Prevention Exceptions, IPS Exceptions, policy installation targets, dedicated Threat Prevention policy, exception enforcement lifecycle.

The correct answer is A. It lets you start over by removing all administrator overrides . Profile Cleanup is a profile-maintenance function used when manual IPS protection changes have accumulated and the administrator wants to return the profile to its intended baseline logic. Check Point’s IPS Protections documentation describes the Profile Cleanup window as offering actions such as Remove all user modified and Clear all staging , followed by installing the Threat Prevention Policy.

This makes the feature a reset and hygiene mechanism, not a rulebase cleanup rule. It removes administrator-level overrides that may have been introduced during tuning, temporary mitigation, testing, exception handling, or staged rollout of protections. Option B is incorrect because Profile Cleanup does not merge settings from several profiles into the Optimized Profile. Option C is incorrect because unmatched traffic handling is controlled by policy/rule behavior, not by Profile Cleanup. Option D is incorrect because protections are not automatically removed based on usage age by this option. The administrative value of Profile Cleanup is control: it lets the security architect re-align a profile with its default or intended activation criteria. Reference topics: IPS Protections, Activation Overrides, Profile Cleanup, Staging, Threat Prevention Policy installation.

The correct answer is B. UserCheck . In SmartConsole, Custom Policy Tools are used to manage Threat Prevention policy objects and tuning components such as profiles, IPS protections, indicators, and protection categories. The official R81.20 guide shows Custom Policy Tools > Profiles for profile creation, editing, and cloning, and Custom Policy Tools > IPS Protections for managing IPS protection behavior. The same guide also shows Custom Policy Tools > Indicators as the location used to configure external IoC feeds.

Malicious Activity Detection is represented through Threat Prevention protection types: the Protections Browser displays protection types, and the guide states that Malicious Activity and Unusual Activity protection types contain lists of protections. UserCheck, however, is not itself a Custom Policy Tools setting. It is a user interaction and notification mechanism configured inside relevant blade/profile settings, such as Anti-Bot or Zero Phishing UserCheck messages. Therefore, among the choices, UserCheck is the item that does not belong as an available Custom Policy Tools setting. Reference topics: Custom Policy Tools, IPS Protections, Indicators, Threat Prevention Profiles, Protections Browser, UserCheck settings.

The correct answer is B. Update Now, Schedule Update, Follow Protections . Check Point IPS protection maintenance includes manual updating, scheduled updating, and a follow-up workflow for newly updated protections. The official IPS Protections documentation explains that administrators can immediately update IPS from Custom Policy Tools > Updates > IPS > Update Now , and that IPS protections can also be updated by configuring a schedule for automatic downloads. It also notes that IPS updates require Threat Prevention Policy installation for enforcement.

The same IPS Protections section describes Follow Up behavior for protections: administrators can mark protections for follow-up, filter on them later, and updated protections can be automatically marked for follow-up so they can be reviewed after update. In the course-question wording, this maps to “Follow Protections.” The purpose is operational control: update now provides immediate package retrieval, scheduled update automates routine maintenance, and follow protections gives administrators a practical workflow to review newly added or changed IPS protections. The other options either use non-standard names or omit the protection-review workflow. Reference topics: IPS Protections, Update Now, Scheduling IPS Updates, Follow Up Protections, Threat Prevention Policy installation.

The correct answer is A. Block List files - Configure disallowed files . Custom Policy Tools are used to manage Threat Prevention objects and enforcement helpers under the Threat Prevention policy view. A Block List file is used to define files that should be treated as disallowed, blocked, or explicitly malicious/undesired according to the policy objective. This is the opposite of the Allow List, which Check Point documents as a list of trusted files that the Threat Prevention engine does not inspect for malware, viruses, and bots, helping reduce gateway resource utilization. The official guide shows Allow List Files under Threat Prevention > Custom Policy Tools > Allow List Files .

Option A is therefore the correct true statement because it accurately describes the role of block-list file handling. Option B sounds plausible but is not the tested correct statement in this question’s answer key; the course item is specifically validating the Block List definition. Option C is incorrect because indicators are not “benign activity”; indicators usually represent observables such as IPs, domains, URLs, or hashes used for threat intelligence or enforcement. Option D is incorrect because profiles are not only available for Autonomous Threat Prevention; Custom Threat Prevention also uses profiles such as Basic, Optimized, and Strict. Reference topics: Custom Policy Tools, Block List Files, Allow List Files, Indicators, Threat Prevention Profiles.

The correct answer is C. CIFS . Check Point Anti-Virus scans file-transfer and content-bearing protocols, not arbitrary management or terminal protocols. The official Anti-Virus settings documentation lists the protocols Anti-Virus can scan as Web HTTP/HTTPS , FTP , SMB , and Mail SMTP or POP3 , with additional support for IMAP and POP3.

CIFS is closely associated with Microsoft file sharing and the SMB protocol family. In the exam context, CIFS maps to the file-sharing traffic class that Anti-Virus can inspect through SMB scanning. This is why CIFS is the correct option. Remote Desktop is an interactive remote-control protocol, not a file-inspection protocol for Anti-Virus scanning in this question. SNMP is a monitoring and management protocol and does not normally carry files for malware inspection. Telnet is an interactive terminal protocol and is not an Anti-Virus file-scanning protocol. The certification distinction is that Anti-Virus inspection focuses on files and content objects crossing supported protocols, especially web downloads, FTP transfers, SMB/CIFS file access, and mail attachments. Reference topics: Anti-Virus Settings, protocol scanning, SMB/CIFS inspection, file-transfer inspection, Threat Prevention protected scope.

The correct answer is B. Intrusion Prevention System . In Check Point terminology, IPS is the Software Blade responsible for inspecting and analyzing packets and data for numerous risk types. The official Check Point Threat Prevention documentation identifies IPS as Intrusion Prevention System and describes IPS protections as part of the Threat Prevention Software Blade framework.

IPS is more than a simple signature engine. It provides vulnerability-oriented and exploit-oriented protections, including protections mapped to CVEs, protocol anomalies, command injection patterns, server-side attacks, client-side attacks, and other known or unknown exploitation behaviors. Check Point also describes IPS as delivering proactive intrusion prevention with thousands of signatures, behavioral protections, and preemptive protections, adding another layer of security above firewall enforcement.

The incorrect options misuse the term “Invasion” or replace “System” with “Software.” Although IPS is implemented as a Check Point Software Blade, the acronym itself expands to Intrusion Prevention System . In policy design, IPS is treated as a pre-infection prevention capability that stops exploitation before compromise, rather than as a post-infection malware-detection control. Reference topics: IPS Software Blade, Intrusion Prevention System definition, IPS protections, CVE-based protections, proactive intrusion prevention.

The correct answer is B. Forensics . In Threat Prevention policy tracking, Forensics is the tracking option intended to enrich Threat Prevention logs with additional investigation data. Check Point documentation states that the Forensics option adds fields to the Threat Prevention logs , and that this extra information provides a deeper understanding of an attack. The Monitoring Threat Prevention section further explains that Advanced Forensics Details can appear in logs for supported protocols such as DNS, FTP, SMTP, HTTP, and HTTPS, and that this additional information is used by Check Point researchers to analyze attacks.

This is why Forensics is the correct TAC-oriented tracking choice. Alert is a notification-style tracking action, not a deep forensic enrichment mechanism. SNMP sends a management notification, and User Defined invokes administrator-defined alert handling rather than supplying advanced attack-analysis fields. In operational troubleshooting, Forensics is valuable because it preserves richer evidence around the inspected connection, affected blade, protocol behavior, and detection context. Reference topics: Threat Prevention Policy Track Options, Advanced Forensics Details, Logs & Monitor, TAC escalation analysis.

The correct answer is D. Inactive . A protection set to Inactive is not enforced for matching traffic, so it does not impose the same inspection and enforcement cost as active protection states. Check Point documentation explains that a Threat Prevention profile determines which protections are activated and which Software Blades are enabled for a rule or policy. The protections a profile activates depend on factors such as performance impact, threat severity, confidence level, and blade-specific settings. Check Point best-practice material also describes that administrators may tune IPS profiles and set protections to prevent , detect , or inactive .

The relative resource logic is direct: Prevent is usually the most expensive because the gateway must inspect and enforce a blocking action inline. Inspect and Detect still require traffic analysis and matching logic, even if the final result is logging rather than prevention. Inactive removes the protection from enforcement consideration, making it the lowest resource option. This does not mean administrators should disable protections indiscriminately; Inactive should be used only when justified by risk, false-positive analysis, performance tuning, or compensating controls. Reference topics: IPS profile tuning, activation settings, performance impact, Prevent/Detect/Inactive behavior, Threat Prevention optimization.

The correct answer is D. Optimized . In Check Point Threat Prevention, profiles define how the gateway applies protections across blades such as IPS, Anti-Bot, Anti-Virus, Threat Emulation, and Threat Extraction. The default profile is Optimized , because it balances effective security with acceptable gateway performance. Check Point documentation states that the Optimized profile is activated by default and that it gives excellent security with good gateway performance.

This design reflects the practical tradeoff in enterprise Threat Prevention: not every protection should be enabled at the most aggressive setting on every gateway, because high-impact protections can increase CPU consumption, latency, and inspection overhead. The Optimized profile uses criteria such as protection severity, confidence, and performance impact to activate protections that are broadly useful without creating unnecessary operational cost. Basic is less aggressive and is intended for lower-impact protection coverage. Strict provides wider coverage but can affect performance more significantly. Standard is not one of the default Threat Prevention profiles in this context. Reference topics: Threat Prevention Profiles, default profile behavior, Optimized Protection Profile settings, blade activation, security/performance balance.

The correct answer is D. The traffic is not dropped. It is simply not inspected by the Threat Prevention Engine . Access Control and Threat Prevention are separate enforcement stages. The Access Control policy first decides whether the connection is allowed, rejected, or dropped. If Access Control accepts the connection, Threat Prevention is then applied only if the connection matches a Threat Prevention rule and therefore receives a Threat Prevention profile. Check Point documentation describes Threat Prevention policy as the mechanism used to activate only the protections needed and prevent attacks that most threaten the network. It also explains that Threat Prevention policy layers calculate their action separately and that in a single layer, the first matched rule is enforced.

Therefore, if accepted traffic does not match the Threat Prevention rulebase, no Threat Prevention profile is selected for that connection. The traffic is not blocked merely because of the non-match; it passes according to the Access Control decision, but without Threat Prevention inspection. Option A is too aggressive and incorrect. Option B incorrectly assumes logging. Option C is directionally true but incomplete because the key point is that Threat Prevention inspection is not applied. Reference topics: Access Control before Threat Prevention, Threat Prevention Rule Base, profile selection, unmatched traffic, ordered layer evaluation.

The correct answer is B. Detect Mode . Detect Mode is used when an administrator wants visibility into Threat Prevention behavior without immediately enforcing a blocking decision. In troubleshooting and tuning, this is essential because it allows security teams to identify which protections would have triggered, review logs, validate false positives, and adjust profiles or exceptions before moving to full prevention. Check Point’s official troubleshooting guidance for Autonomous Threat Prevention describes Detect Only mode and states that protections set to Prevent allow traffic to pass while continuing to track threats according to the Track setting.

This makes Detect Mode the correct operational mode for safe tuning. It preserves observability while reducing the risk of production disruption during policy validation, IPS profile changes, new blade rollout, or incident investigation. Observe Mode , Display Mode , and Watch Mode are not the Check Point Threat Prevention operating modes used for this purpose in the exam context. In a certification scenario, Detect Mode should be understood as a non-blocking validation state: it logs and tracks what Threat Prevention would have done, but does not stop the connection based on a Prevent action. Reference topics: Detect Only, Threat Prevention troubleshooting, profile tuning, false-positive validation, Track settings.

The correct answer is A. Users surfing the website directly by IP address or using domains registered within the last 30 days . Anti-Bot is focused on post-infection compromise evidence: it identifies hosts that may already be infected and attempts to prevent command-and-control communication or other botnet behavior. Check Point documentation describes Anti-Bot as a Threat Prevention component that blocks botnet behavior and communication to Command and Control centers, while the broader Threat Prevention solution provides multi-layered pre- and post-infection defense.

Direct IP browsing and use of newly registered domains are suspicious because malware frequently avoids mature domain reputation controls, rotates infrastructure quickly, or contacts IP-based C2 endpoints directly to bypass domain-based filtering. Domains registered within a recent window are a common risk indicator because malicious campaigns often use disposable infrastructure with short operational lifetimes. Option B is not inherently evidence of bot infection; explicit proxy use may be a network design choice. Option C describes normal intranet access patterns. Option D may indicate weak encryption hygiene but is not specific evidence of compromise. In Anti-Bot analysis, indicators such as suspicious destinations, direct IP access, newly observed domains, and C2-like behavior help identify infected internal hosts. Reference topics: Anti-Bot, post-infection detection, Command and Control communication, suspicious domains, infected-host analysis.

The correct answer is B. Exclusions . In Anti-Virus policy design, exclusions are used to remove selected traffic or file categories from Anti-Virus inspection when inspection is unnecessary, redundant, or too costly for the business flow. Check Point documentation states that Threat Prevention can be configured to exclude files from inspection , including examples such as internal emails and internal file transfers. The same section explains that these settings are based on interface type and traffic direction.

This directly aligns with the performance objective in the question: if the gateway does not inspect files that are already trusted, internal, or operationally low-risk, Anti-Virus consumes fewer CPU, memory, buffering, and content-inspection resources. Content Control is not the Anti-Virus bypass feature named in this context. Exceptions are policy-level constructs that can exclude traffic from Threat Prevention enforcement, but the question specifically asks for the feature that improves Anti-Virus performance by bypassing inspection of specific files, which is Exclusions . Bypass describes the effect, not the named feature. Reference topics: Anti-Virus Settings, Protected Scope, file inspection exclusions, interface direction, Threat Prevention performance optimization.

The correct answer is D. The IPS Blade must be activated on the individual Security Gateway object . Check Point Software Blades are enabled on the enforcement point that inspects traffic, which is the Security Gateway or Cluster object, not merely on the Management Server. The official Threat Prevention guide states that to enable IPS, the administrator opens the Security Gateway / Cluster object , goes to General Properties > Network Security , selects IPS , and follows the wizard. For IPS package installation, Check Point also documents the sequence: enable IPS in the Security Gateway object, enable IPS in the corresponding Threat Prevention policy, and install the Threat Prevention Policy.

Licensing alone is therefore insufficient; a license permits use, but blade activation defines whether the gateway enforces IPS inspection. Option A is wrong because enabling the blade on the Management Server object does not activate IPS enforcement on all managed gateways. Option C is also wrong in standard ClusterXL management because blades are configured on the Cluster object, not separately and inconsistently on individual members. Operationally, enabling IPS on the correct gateway or cluster object ensures SmartConsole exposes the appropriate Threat Prevention controls and that policy installation targets the enforcement points. Reference topics: IPS Blade activation, Gateway object configuration, Threat Prevention policy installation, Cluster object management.

The correct answer is C. Accept . Threat Prevention is applied only to traffic that has already been accepted by the Access Control policy, and then the Threat Prevention rulebase determines which protection profile, blade behavior, and tracking settings apply. When traffic does not match a Threat Prevention rule, no Threat Prevention profile is selected for that connection, so the traffic is not blocked by Threat Prevention simply because of a non-match. Check Point documentation explains that Threat Prevention policy layers calculate their actions according to rule matching, and in a single-layer policy the enforced rule is the first matched rule.

This distinction is critical for certification and real operations. Threat Prevention is not a replacement for the Access Control decision; it is a follow-up inspection layer for already accepted traffic. A non-match in Threat Prevention means the traffic is outside the configured protected scope or rule conditions, so the Threat Prevention engine does not apply a prevent/drop/reject action to it. Reject and Drop are enforcement outcomes for matched malicious or blocked traffic, not for unmatched Threat Prevention traffic. Detect is a logging/enforcement mode for matched protections, not the default result of no rule match. Reference topics: Threat Prevention Policy, ordered layer behavior, protected scope, first-match rule logic, unmatched traffic handling.

The correct answer is C. MITRE Corporation . CVE, or Common Vulnerabilities and Exposures, is the standardized naming system used across security vendors, vulnerability databases, IPS signatures, advisories, scanners, and remediation programs. In a Check Point Threat Prevention context, CVE identifiers are important because IPS protections frequently map detections and exploit protections to known vulnerabilities. This allows administrators to correlate a Check Point IPS protection with vendor advisories, exposure management, patching, and risk prioritization. The official CVE site describes CVE as an authoritative reference method for publicly known information-security vulnerabilities and exposures. MITRE documentation states that The MITRE Corporation maintains CVE and its public website , manages compatibility, and provides technical guidance to the CVE Editorial Board.

The distractors represent related but distinct roles. DHS/CISA has historically sponsored or funded the program, but sponsorship is not ownership and maintenance of the CVE list itself. NIST maintains the National Vulnerability Database, which enriches CVE data with scoring and analysis, but NVD is downstream from CVE identifiers. Check Point consumes CVE intelligence through IPS and ThreatCloud-driven protections; it does not own the CVE program. Reference topics: IPS vulnerability mapping, CVE-based protection metadata, threat intelligence normalization, vulnerability-to-protection correlation.

The correct answer is D. Background because it inspects a large subset of traffic . Anti-Virus is a pre-infection Threat Prevention blade that can inspect broad user traffic categories, including web and file-transfer flows. Because the inspection scope can be large, the selected enforcement behavior directly affects latency, user experience, and gateway resource consumption. Check Point documentation identifies Anti-Virus as a blade that scans protocols such as HTTP/HTTPS, FTP, SMB, and mail-related traffic depending on configuration, with additional protocol support documented for IMAP and POP3.

The Background setting is recommended in this context because it avoids unnecessarily holding a large volume of traffic while inspection continues. Hold mode is stricter because it delays delivery until inspection completes or a timeout condition is reached, but that strictness can introduce user-facing delay when applied broadly. Option A is incorrect because Anti-Virus is not post-infection; it prevents malware before user impact. Options B and C are incorrect because they associate Hold mode with a limited inspection scope, while Anti-Virus commonly applies to a large and performance-sensitive traffic set. Reference topics: Anti-Virus Settings, protocol inspection scope, Background versus Hold behavior, performance impact, pre-infection prevention.

The correct answer for the uploaded course-question set is B. 1 Million . IOC files are used to import indicators of compromise so that the gateway can match known malicious or suspicious observables such as domains, URLs, IP addresses, and file hashes. In the Threat Prevention architecture, these indicators complement ThreatCloud intelligence by letting administrators add organization-specific or third-party intelligence into enforcement. The key certification point in this question is scale: R81.20 IOC Files are tested with a maximum of 1 million patterns or observables in this exam context.

Operationally, this limit matters because large IOC files affect memory use, update processing, compilation time, and gateway enforcement behavior. Architects should avoid treating IOC ingestion as unlimited; feeds must be curated, deduplicated, normalized, and prioritized. The current public R81.20 release documentation distinguishes expanded IoC feed scale and states that IoC feeds can support significantly more observables on XFS systems, while EXT3 has a lower limit. For this specific question wording, however, the answer key’s “IOC Files” limit is 1 Million , while later Custom Threat Indicators and external-feed capacities are treated separately in related questions. Reference topics: IOC Files, Threat Indicators, R81.20 Threat Prevention, observable limits, feed sizing and gateway resource planning.

The correct answer is D. The Threat Prevention Policy is only applied after traffic is accepted by Access Control Policy . Threat Prevention is a follow-up inspection framework for traffic that has already passed the access decision. The Access Control policy determines whether a connection is allowed, rejected, or dropped. Only traffic that is allowed by Access Control can proceed into Threat Prevention evaluation for IPS, Anti-Bot, Anti-Virus, Threat Emulation, and related blades. Check Point’s policy workflow separates Access Control and Threat Prevention, and the Threat Prevention guide describes the Threat Prevention rulebase as the policy used to activate needed protections and prevent attacks against accepted traffic flows.

Options B and C are incorrect because Threat Prevention does not resurrect or override a connection that Access Control has already dropped or rejected. The inspection chain is sequential from an enforcement perspective: blocked traffic does not continue to malware or IPS inspection as an accepted connection. Option A is also incorrect because a gateway is assigned policy through its policy package and Threat Prevention policy structure, not by stacking multiple independent Threat Prevention policies on the same target as competing enforcement policies. Reference topics: Threat Prevention Policy workflow, Access Control then Threat Prevention sequence, policy package enforcement, accepted-traffic inspection.

The correct answer is B. Rule Header and Rule Options . Check Point supports SNORT rule import so administrators can create custom IPS protections from SNORT signatures. The official Check Point SNORT Signature Support documentation states that SNORT rules use signatures to define attacks and that a SNORT rule has a rule header and rule options . It also provides the syntax structure, where the first section contains action, protocol, source, destination, ports, and direction, while the options section contains keywords such as message and content match criteria.

The Rule Header defines the traffic selector and enforcement context: protocol, source address, source port, direction, destination address, and destination port. The Rule Options define the detection logic and metadata inside parentheses, such as msg, content, and other matching keywords. “Rule body” is not the formal Check Point/SNORT term in this context, and “rule start/rule stop” is not a recognized logical construction. This matters because imported SNORT rules become IPS protections, so syntax correctness affects whether the Management Server can parse, import, and enforce the custom signature. Reference topics: SNORT Signature Support, Custom IPS Protections, Rule Header, Rule Options, imported SNORT protections.