Checkpoint 156-590 - Check Point Certified Threat Prevention Specialist (CTPS)

The correct answer is B. Post-infection . Anti-Bot is the Threat Prevention blade focused on identifying and stopping bot-infected hosts after compromise indicators appear. Check Point documentation explicitly describes Anti-Bot as performing post-infection detection of bots on hosts and preventing bot damage by blocking command-and-control communications. The broader Threat Prevention guide also lists Anti-Bot as post-infection detection and explains that it uses ThreatCloud intelligence and multiple detection methods to identify bot activity.

This differs from IPS and Anti-Virus positioning. IPS and Anti-Virus are commonly understood as pre-infection controls because they attempt to block exploit traffic or malicious files before the host is compromised. Anti-Bot, by contrast, assumes the possibility that a host may already be infected and focuses on detecting outbound C & C communication, botnet behavior, malicious destinations, and other compromise evidence. Pre-inspection and post-inspection are not valid lifecycle categories for this blade in the exam context. In real operations, Anti-Bot is especially valuable for finding infected internal machines that bypassed earlier preventive controls or became infected off-network. Reference topics: Anti-Bot Software Blade, post-infection detection, Command and Control prevention, ThreatCloud intelligence, botnet behavior detection.

The correct answer is B. Prevent . From a performance perspective, the most resource-intensive setting is generally the one that requires the gateway not only to inspect and identify the threat, but also to enforce a blocking decision inline. Prevent mode means the protection is actively applied to traffic and the gateway must make a real-time enforcement decision. Check Point explains that Threat Prevention profiles activate protections based on factors that include the performance impact of the protection , threat severity, confidence level, and blade-specific settings. Check Point’s IPS optimization guidance also warns that some protections require more system resources to inspect traffic and recommends focusing on lower-impact protections when reducing gateway resource use is necessary.

By comparison, Inactive is the least intensive because the protection is not enforced. Detect can log or report detection without blocking, which is useful for staging and troubleshooting. Inspect still consumes inspection resources, but Prevent typically represents the highest operational burden because it performs inline analysis and enforcement, and may require buffering, stream handling, packet modification, or connection termination depending on blade and protocol. In real deployments, the exact resource cost also depends on traffic mix, protocol, file size, SSL inspection, protection complexity, and whether traffic remains accelerated. Reference topics: IPS Profile Settings, protection activation, Prevent versus Detect, Performance Impact, IPS optimization.

The correct answer is D. Communicate forensics data collected to Government Agencies . The Forensics tracking option exists to enrich Threat Prevention logs with deeper technical context for analysis and troubleshooting. Check Point documentation states that the Forensics option adds fields to Threat Prevention logs and that the additional information gives a deeper understanding of an attack. The Monitoring Threat Prevention guidance also explains that Advanced Forensics Details can include protocol-specific details for DNS, FTP, SMTP, HTTP, and HTTPS, and that this information is used by Check Point researchers to analyze attacks.

The purpose is security analysis, incident investigation, and support-quality evidence collection, not government reporting. Options A and B accurately describe the function of Forensics tracking. Option C reflects the broader idea that forensic and diagnostic details may include gateway-related technical data for Check Point analysis, depending on configuration and feature behavior. Option D is the false statement because Check Point Threat Prevention Forensics is not defined as a mechanism for transmitting collected forensic data to government agencies. In production, enabling Forensics should be treated as a deliberate logging and privacy decision because it may add protocol and transaction context to logs. Reference topics: Threat Prevention Track Options, Forensics tracking, Advanced Forensics Details, Logs & Monitor, attack analysis.

The correct answer is B. Traffic is matched against all applicable layers at the same time . Threat Prevention policy evaluation is not best described as a flat simultaneous match against all applicable layers. Check Point documentation explains that Threat Prevention Policy Layers are Ordered Layers , and that each ordered layer calculates its action separately from the other layers. In a single-layer policy package, the enforced rule is the first matched rule. In multiple-layer policy behavior, matching and enforcement are determined by the layer calculations and the applicable action logic, rather than by one undifferentiated simultaneous match model.

Option A is true because Threat Prevention inspection is applied after the Access Control policy allows the connection; traffic dropped or rejected by Access Control does not proceed to Threat Prevention enforcement. Option C is true for a single Threat Prevention layer because the first matching rule is enforced. Option D is also true because Threat Prevention uses ordered policy-layer behavior. The false statement is therefore option B. Reference topics: Threat Prevention Policy, Ordered Layers, first-match rule behavior, Access Control before Threat Prevention, multi-layer enforcement logic.

The correct answer is D. Inactive . A protection set to Inactive is not enforced for matching traffic, so it does not impose the same inspection and enforcement cost as active protection states. Check Point documentation explains that a Threat Prevention profile determines which protections are activated and which Software Blades are enabled for a rule or policy. The protections a profile activates depend on factors such as performance impact, threat severity, confidence level, and blade-specific settings. Check Point best-practice material also describes that administrators may tune IPS profiles and set protections to prevent , detect , or inactive .

The relative resource logic is direct: Prevent is usually the most expensive because the gateway must inspect and enforce a blocking action inline. Inspect and Detect still require traffic analysis and matching logic, even if the final result is logging rather than prevention. Inactive removes the protection from enforcement consideration, making it the lowest resource option. This does not mean administrators should disable protections indiscriminately; Inactive should be used only when justified by risk, false-positive analysis, performance tuning, or compensating controls. Reference topics: IPS profile tuning, activation settings, performance impact, Prevent/Detect/Inactive behavior, Threat Prevention optimization.

The correct answer is C. Install the Threat Prevention Policy . IPS Core Protections are part of the Threat Prevention policy domain, so changing them in SmartConsole is not enough by itself. The updated configuration must be compiled and installed to the relevant Security Gateways through the Threat Prevention Policy installation process. Check Point’s IPS Protections documentation shows the workflow for editing core protections: go to Security Policies > Threat Prevention > Custom Policy Tools > IPS Protections , filter for Type Core , edit the required core protection settings, and then Install the Threat Prevention policy .

This directly eliminates the other options. The setting is not immediately active because gateways enforce installed policy, not merely edited management configuration. Install Database updates the management database but does not push enforcement logic to the Security Gateway. Install Access Control Policy applies firewall/access-layer logic, but IPS Core Protections belong to the Threat Prevention policy. In operational terms, this separation allows administrators to install Threat Prevention changes without necessarily reinstalling Access Control, reducing disruption and keeping blade changes scoped to the correct policy package. Reference topics: IPS Protections, Core IPS Protections, Custom Policy Tools, Threat Prevention Policy installation, enforcement lifecycle.

The correct answer is D. fwaccel dos rate . When IPS or other Threat Prevention inspection causes significant traffic to leave the fully accelerated SecureXL path and move to F2F, the gateway can experience higher CPU utilization because more packets require Firewall kernel processing. The fwaccel dos rate command belongs to SecureXL DoS and rate-limiting controls. Check Point’s Performance Tuning guide defines fwaccel dos rate and fwaccel6 dos rate as commands that show and install the Rate Limiting policy in SecureXL. It also notes that the feature is enabled by default without rules.

This makes it the correct command for enforcing traffic quotas or rate-limiting policy in the accelerated path. fw dos rate is not the correct Check Point syntax. fwaccel rate omits the DoS rate-limiting command hierarchy. fw ctl dos is also not the documented command for SecureXL rate policy installation. In operational performance tuning, fwaccel DoS rate controls are useful when the gateway must protect CPU resources from excessive connection rates, volumetric pressure, or inspection-heavy flows that can amplify the impact of Threat Prevention processing. Reference topics: SecureXL DoS Mitigation, Rate Limiting Policy, fwaccel dos rate, F2F path, IPS performance impact.

The correct answer is B. QoS Policy exemptions . Threat Prevention exceptions are policy constructs used to alter how Threat Prevention blades, IPS protections, files, sites, or protected-scope objects are handled. Check Point documentation explains that an exception sets a different action for an object in the protected scope than the action specified by the Threat Prevention rule, and that exceptions are generally intended to reduce the level of enforcement rather than increase it. The guide also describes creating exceptions from IPS Protections, logs, events, and exception groups, all within the Threat Prevention policy workflow.

IPS Settings Exceptions , Core Activation Exceptions , and Implied IPS Exceptions are aligned with the IPS/Threat Prevention exception model because they affect how protections are activated, tuned, or safely excluded from enforcement. QoS Policy exemptions do not belong to Threat Prevention exception taxonomy. QoS relates to traffic prioritization, bandwidth control, and quality-of-service enforcement, not malware, IPS, Anti-Bot, Anti-Virus, or blade exception handling. In certification terms, the key separation is policy domain: Threat Prevention exceptions modify security inspection behavior, while QoS exemptions belong to traffic management. Reference topics: Threat Prevention Exceptions, IPS Exceptions, Core Activation Exceptions, Implied IPS Exceptions, exception groups.

The correct answer is D. F2F . Protections with high inspection impact generally require deeper processing that cannot remain fully accelerated in SecureXL. In Check Point performance terminology, F2F means traffic is forwarded from SecureXL to the Firewall path for inspection. Performance tuning documentation describes F2F packets as packets that SecureXL forwarded to the Firewall in the slow path, while accelerated traffic remains in the fast path. Threat Prevention protections, especially high-impact IPS protections, can require deeper packet, stream, or protocol analysis and therefore increase the portion of traffic processed outside full SecureXL acceleration.

Check Point IPS documentation explains that Performance Impact is the measure of how much a protection affects gateway performance and warns that activated protections with higher performance impact can cause connectivity or performance issues. The IPS optimization guidance further explains that some protections require more system resources to inspect traffic and recommends focusing on lower-impact protections when reducing gateway resource use is necessary. SXL is the fully accelerated path, PXL is medium-path inspection with acceleration assistance, and CPASXL relates to active streaming acceleration. High Protection Impact aligns with F2F because the gateway must perform deeper inspection. Reference topics: IPS Performance Impact, SecureXL packet paths, F2F, PXL/SXL, IPS optimization.