Checkpoint 156-590 - Check Point Certified Threat Prevention Specialist (CTPS)

The correct answer is D. Basic, Optimized, Strict . Check Point supplies out-of-the-box Threat Prevention profiles to give administrators predefined security/performance baselines. The official Threat Prevention Profiles section states that administrators can clone a selected profile but cannot change the out-of-the-box profiles: Basic, Optimized, and Strict .

These profiles represent different operating postures. Basic is designed for reliable protection with lower performance impact. Optimized is the default-style balanced approach, providing strong protection for common products and protocols while preserving gateway performance. Strict provides wider coverage and more aggressive protection selection, but can increase inspection cost and may require closer tuning. The other answer choices describe architectural traffic directions or deployment zones, not the official preconfigured profile names. “Perimeter,” “Datacenter,” and “East-West” are useful design concepts, especially in modern segmentation and Autonomous Threat Prevention discussions, but they are not the three preconfigured Custom Threat Prevention profiles in this question. From a certification perspective, the distinction matters because profiles are selected as the Action in Threat Prevention rules and determine which protections and blades are active. Reference topics: Threat Prevention Profiles, out-of-the-box profiles, Basic profile, Optimized profile, Strict profile, profile cloning.

The correct answer is B. You have to re-install the Threat Prevention policy . Threat Prevention exceptions are policy constructs, so they must be compiled and installed to the relevant Security Gateways before they affect enforcement. Check Point documentation for creating IPS exceptions shows the workflow: create or configure the exception rule, click OK, and then Install Policy . The Custom Threat Prevention guide also explains that Threat Prevention blades have a dedicated Threat Prevention policy and that this policy can be installed separately from Access Control. It explicitly recommends installing only the Threat Prevention policy to minimize performance impact on Security Gateways.

This is why Install Database is not sufficient. Install Database updates management-side objects and databases, but it does not enforce a new Threat Prevention exception on gateways. Installing Access Control policy is also the wrong policy domain because Anti-Virus, Anti-Bot, IPS, Threat Emulation, and Threat Extraction exceptions belong to Threat Prevention. The change is not immediately active because Security Gateways enforce compiled policy, not unpublished or uninstalled SmartConsole changes. Reference topics: Threat Prevention Exceptions, IPS Exceptions, policy installation targets, dedicated Threat Prevention policy, exception enforcement lifecycle.

The correct answer is A. The best practice for all Check Point delivered profiles and object is to first clone them and work on the clones . Check Point’s out-of-the-box Threat Prevention profiles are predefined baselines intended to provide known security and performance behavior. The official Threat Prevention Profiles documentation states that administrators can create a clone of a selected profile and then make changes, but they cannot change the out-of-the-box profiles: Basic, Optimized, and Strict . The documented workflow is to right-click the profile, select Clone , rename the copied profile, configure settings, and then install policy.

This is the correct operational model because vendor-delivered profiles are reference baselines. Modifying production enforcement should be done in a cloned profile so that the original baseline remains available for comparison, rollback, and troubleshooting. Option B is incorrect because deleting predefined profiles and rebuilding from scratch is unsafe and unnecessary. Option C is not the standard best-practice answer; performance impact should be managed by profile criteria and IPS tuning, not by a separate “performance check tool” workflow in this question. Option D is incorrect because profile changes can materially affect both security posture and gateway performance. Reference topics: Threat Prevention Profiles, Basic/Optimized/Strict profiles, profile cloning, policy installation, IPS tuning baseline.

The correct answer is C. This feature is to prevent IPS Enforcement to interfere with important Security Gateway operations, such as Control Connections . IPS Implied Exceptions are designed as safeguard exceptions for traffic that is necessary for the Security Gateway, management, or Check Point infrastructure to operate correctly. The purpose is not to define general unmatched-traffic behavior. Instead, they prevent IPS enforcement from disrupting essential control-plane and gateway-related communications. Check Point’s Threat Prevention exception documentation shows that IPS exceptions are a formal part of policy tuning and that exception changes are enforced through policy installation.

The operational logic is straightforward: IPS protections can be aggressive, and some protections inspect protocol behavior that may resemble attack traffic. If critical control connections, management channels, clustering traffic, or internal gateway operations were treated exactly like ordinary data-plane traffic, IPS could interfere with the stability of the platform. Implied Exceptions provide a built-in safety layer to avoid that outcome. Options A, B, and D incorrectly describe rulebase cleanup behavior or layer absence behavior. Those concerns are handled by policy structure, ordered layers, and default/cleanup behavior, not by IPS Implied Exceptions. Reference topics: IPS Exceptions, Implied IPS Exceptions, control connections, gateway operations, exception rule policy installation.

The correct answer is B. Rule Header and Rule Options . Check Point supports SNORT rule import so administrators can create custom IPS protections from SNORT signatures. The official Check Point SNORT Signature Support documentation states that SNORT rules use signatures to define attacks and that a SNORT rule has a rule header and rule options . It also provides the syntax structure, where the first section contains action, protocol, source, destination, ports, and direction, while the options section contains keywords such as message and content match criteria.

The Rule Header defines the traffic selector and enforcement context: protocol, source address, source port, direction, destination address, and destination port. The Rule Options define the detection logic and metadata inside parentheses, such as msg, content, and other matching keywords. “Rule body” is not the formal Check Point/SNORT term in this context, and “rule start/rule stop” is not a recognized logical construction. This matters because imported SNORT rules become IPS protections, so syntax correctness affects whether the Management Server can parse, import, and enforce the custom signature. Reference topics: SNORT Signature Support, Custom IPS Protections, Rule Header, Rule Options, imported SNORT protections.

The correct answer is D. Background because it inspects a large subset of traffic . Anti-Virus is a pre-infection Threat Prevention blade that can inspect broad user traffic categories, including web and file-transfer flows. Because the inspection scope can be large, the selected enforcement behavior directly affects latency, user experience, and gateway resource consumption. Check Point documentation identifies Anti-Virus as a blade that scans protocols such as HTTP/HTTPS, FTP, SMB, and mail-related traffic depending on configuration, with additional protocol support documented for IMAP and POP3.

The Background setting is recommended in this context because it avoids unnecessarily holding a large volume of traffic while inspection continues. Hold mode is stricter because it delays delivery until inspection completes or a timeout condition is reached, but that strictness can introduce user-facing delay when applied broadly. Option A is incorrect because Anti-Virus is not post-infection; it prevents malware before user impact. Options B and C are incorrect because they associate Hold mode with a limited inspection scope, while Anti-Virus commonly applies to a large and performance-sensitive traffic set. Reference topics: Anti-Virus Settings, protocol inspection scope, Background versus Hold behavior, performance impact, pre-infection prevention.

The correct answer is B. 1. Integrated/Standalone and 2. Dedicated Server . SmartEvent is Check Point’s event analysis, correlation, and reporting platform. Official Check Point Logging and Monitoring documentation explains that SmartEvent Server is integrated with the Security Management Server architecture and can communicate with Log Servers to read and analyze logs. It further states that administrators can enable SmartEvent on the Security Management Server or deploy it as a dedicated server . In Multi-Domain environments, Check Point requires SmartEvent on a dedicated server.

This maps directly to the course terminology: integrated or standalone deployment means SmartEvent runs on the existing management architecture, while a dedicated server deployment separates SmartEvent components onto another machine for scale, retention, performance, or Multi-Domain requirements. Option A uses generic distributed language but not the tested Check Point deployment wording. Option C confuses SmartEvent deployment with Threat Prevention enforcement states such as Prevent and Detect. Option D refers to clustering concepts and does not describe SmartEvent deployment models. In production design, dedicated SmartEvent is preferred when log volume is high, reporting is heavily used, or event correlation must not compete with management operations. Reference topics: Deploying SmartEvent, SmartEvent Server, Correlation Unit, Integrated/Standalone deployment, Dedicated SmartEvent Server.

The correct answer is B. CPU Utilization . IPS protection selection and activation are based on protection metadata and profile criteria, not a direct CPU-utilization rating. The official Threat Prevention guide states that a Threat Prevention profile activates protections according to factors including performance impact of the protection , severity of the threat , confidence that a protection can correctly identify an attack , and settings specific to the Software Blade.

The same R81.20 guide shows how the Optimized profile uses these criteria: protections are set to Prevent or Detect based on Confidence Level , Performance Impact , and Severity thresholds. CPU utilization is certainly relevant in performance troubleshooting, capacity planning, and operational monitoring, but it is not one of the IPS protection-selection ratings. In practice, CPU usage is an observed runtime metric, while Performance Impact is the predefined protection attribute used by profiles to decide whether a protection should be active, detect-only, or prevented. This distinction matters in certification: IPS tuning is driven by profile attributes, while CPU utilization is reviewed afterward through monitoring tools such as CPView, logs, and performance diagnostics. Reference topics: IPS Protection ratings, Threat Prevention Profiles, Severity, Confidence Level, Performance Impact, activation criteria.

The correct current official-guide answer is A. Every two hours . Starting from R80.20, Check Point changed IPS update behavior so that gateways can directly download Threat Prevention updates instead of relying only on the Security Management Server and policy installation workflow. The official R80.20 SmartConsole Help states that, starting from R80.20, gateways can directly download updates, while gateways without Internet connectivity still require policy installation to enforce updates. The same official section states that IPS, Anti-Virus and Anti-Bot updates are performed every two hours by default .

This is the key distinction for R80.20 and later. Earlier operational models were more management-server centered, but R80.20+ supports gateway-side automatic update behavior. Every 24 hours is not the current documented default for IPS, Anti-Virus, and Anti-Bot updates in this R80.20+ context. Threat Emulation engine and image updates have separate daily default schedules, which can create confusion if update types are mixed together. Option C and D are also incorrect because the official default is neither hourly nor every four hours. Reference topics: Threat Prevention Scheduled Updates, R80.20 gateway direct updates, IPS update frequency, Anti-Virus and Anti-Bot updates, policy installation for offline gateways.

The correct answer is D. 2 million . In R81.20, Check Point expanded the supported scale for custom threat intelligence observables. The R81.20 Threat Prevention Administration Guide states that, starting from R81.20, the Security Gateway supports at least 2 million patterns/observables for URL, Domain, IP address, and Hash observable types. It also notes that the maximum number is limited by available memory and disk space on the Security Gateway, and that the gateway checks whether 50% of total memory is free before loading more patterns or observables.

This capability applies to Custom Intelligence Feeds, which let administrators fetch feeds from third-party servers directly to the Security Gateway for enforcement by Anti-Virus, Anti-Bot, and IPS blades. The feature reduces operational overhead by allowing external indicators to be managed and monitored through the Threat Prevention enforcement path. The incorrect options either understate or overstate the documented baseline. “Unlimited” is also incorrect because Check Point explicitly ties the upper boundary to memory and disk capacity. Reference topics: Custom Threat Indicators, External IoC Feeds, Custom Intelligence Feeds, observable scale, R81.20 Threat Prevention, URL/domain/IP/hash indicators.