156-590 Exam Dumps : Check Point Certified Threat Prevention Specialist (CTPS)

The correct answer is B. Detect Mode . Detect Mode is used when an administrator wants visibility into Threat Prevention behavior without immediately enforcing a blocking decision. In troubleshooting and tuning, this is essential because it allows security teams to identify which protections would have triggered, review logs, validate false positives, and adjust profiles or exceptions before moving to full prevention. Check Point’s official troubleshooting guidance for Autonomous Threat Prevention describes Detect Only mode and states that protections set to Prevent allow traffic to pass while continuing to track threats according to the Track setting.

This makes Detect Mode the correct operational mode for safe tuning. It preserves observability while reducing the risk of production disruption during policy validation, IPS profile changes, new blade rollout, or incident investigation. Observe Mode , Display Mode , and Watch Mode are not the Check Point Threat Prevention operating modes used for this purpose in the exam context. In a certification scenario, Detect Mode should be understood as a non-blocking validation state: it logs and tracks what Threat Prevention would have done, but does not stop the connection based on a Prevent action. Reference topics: Detect Only, Threat Prevention troubleshooting, profile tuning, false-positive validation, Track settings.

The correct answer is D. The IPS Blade must be activated on the individual Security Gateway object . Check Point Software Blades are enabled on the enforcement point that inspects traffic, which is the Security Gateway or Cluster object, not merely on the Management Server. The official Threat Prevention guide states that to enable IPS, the administrator opens the Security Gateway / Cluster object , goes to General Properties > Network Security , selects IPS , and follows the wizard. For IPS package installation, Check Point also documents the sequence: enable IPS in the Security Gateway object, enable IPS in the corresponding Threat Prevention policy, and install the Threat Prevention Policy.

Licensing alone is therefore insufficient; a license permits use, but blade activation defines whether the gateway enforces IPS inspection. Option A is wrong because enabling the blade on the Management Server object does not activate IPS enforcement on all managed gateways. Option C is also wrong in standard ClusterXL management because blades are configured on the Cluster object, not separately and inconsistently on individual members. Operationally, enabling IPS on the correct gateway or cluster object ensures SmartConsole exposes the appropriate Threat Prevention controls and that policy installation targets the enforcement points. Reference topics: IPS Blade activation, Gateway object configuration, Threat Prevention policy installation, Cluster object management.

The correct answer is A. It lets you start over by removing all administrator overrides . Profile Cleanup is a profile-maintenance function used when manual IPS protection changes have accumulated and the administrator wants to return the profile to its intended baseline logic. Check Point’s IPS Protections documentation describes the Profile Cleanup window as offering actions such as Remove all user modified and Clear all staging , followed by installing the Threat Prevention Policy.

This makes the feature a reset and hygiene mechanism, not a rulebase cleanup rule. It removes administrator-level overrides that may have been introduced during tuning, temporary mitigation, testing, exception handling, or staged rollout of protections. Option B is incorrect because Profile Cleanup does not merge settings from several profiles into the Optimized Profile. Option C is incorrect because unmatched traffic handling is controlled by policy/rule behavior, not by Profile Cleanup. Option D is incorrect because protections are not automatically removed based on usage age by this option. The administrative value of Profile Cleanup is control: it lets the security architect re-align a profile with its default or intended activation criteria. Reference topics: IPS Protections, Activation Overrides, Profile Cleanup, Staging, Threat Prevention Policy installation.