156-590 Checkpoint Check Point Certified Threat Prevention Specialist (CTPS) Free Practice Exam Questions (2026 Updated)

The correct answer is B. Update Now, Schedule Update, Follow Protections . Check Point IPS protection maintenance includes manual updating, scheduled updating, and a follow-up workflow for newly updated protections. The official IPS Protections documentation explains that administrators can immediately update IPS from Custom Policy Tools > Updates > IPS > Update Now , and that IPS protections can also be updated by configuring a schedule for automatic downloads. It also notes that IPS updates require Threat Prevention Policy installation for enforcement.

The same IPS Protections section describes Follow Up behavior for protections: administrators can mark protections for follow-up, filter on them later, and updated protections can be automatically marked for follow-up so they can be reviewed after update. In the course-question wording, this maps to “Follow Protections.” The purpose is operational control: update now provides immediate package retrieval, scheduled update automates routine maintenance, and follow protections gives administrators a practical workflow to review newly added or changed IPS protections. The other options either use non-standard names or omit the protection-review workflow. Reference topics: IPS Protections, Update Now, Scheduling IPS Updates, Follow Up Protections, Threat Prevention Policy installation.

The correct answer is B. The executive reports generally contain abstract information without much technical detail. You have to use Smart Event Threat Prevention Report filtered for last week data . For executive communication, the correct SmartEvent mechanism is a report rather than a raw log export or interactive operational view. Check Point documentation explains that views and reports can be exported to PDF or CSV using defined filters and time frames, and that reports summarize network activity and Security Policy enforcement generated by Check Point products such as SmartEvent.

A CEO-level security-incident briefing should emphasize risk, timeline, impact, affected assets, attack category, prevention outcome, and recommended remediation, without requiring the recipient to interpret raw logs or technical blade details. A Threat Prevention Report filtered for last week provides the appropriate time-bounded summary. Option A is overly manual and uses a view plus CSV/PDF conversion rather than the report mechanism. Option C incorrectly shifts the workflow to SmartLog filtering and an external report generator. Option D uses a view, which is better suited for live or interactive operational analysis by administrators, not executive distribution. Reference topics: SmartEvent Reports, Threat Prevention Report, report time filters, executive reporting, exporting reports.

The correct answer is B. Exclusions . In Anti-Virus policy design, exclusions are used to remove selected traffic or file categories from Anti-Virus inspection when inspection is unnecessary, redundant, or too costly for the business flow. Check Point documentation states that Threat Prevention can be configured to exclude files from inspection , including examples such as internal emails and internal file transfers. The same section explains that these settings are based on interface type and traffic direction.

This directly aligns with the performance objective in the question: if the gateway does not inspect files that are already trusted, internal, or operationally low-risk, Anti-Virus consumes fewer CPU, memory, buffering, and content-inspection resources. Content Control is not the Anti-Virus bypass feature named in this context. Exceptions are policy-level constructs that can exclude traffic from Threat Prevention enforcement, but the question specifically asks for the feature that improves Anti-Virus performance by bypassing inspection of specific files, which is Exclusions . Bypass describes the effect, not the named feature. Reference topics: Anti-Virus Settings, Protected Scope, file inspection exclusions, interface direction, Threat Prevention performance optimization.

The correct answer is B. UserCheck . In SmartConsole, Custom Policy Tools are used to manage Threat Prevention policy objects and tuning components such as profiles, IPS protections, indicators, and protection categories. The official R81.20 guide shows Custom Policy Tools > Profiles for profile creation, editing, and cloning, and Custom Policy Tools > IPS Protections for managing IPS protection behavior. The same guide also shows Custom Policy Tools > Indicators as the location used to configure external IoC feeds.

Malicious Activity Detection is represented through Threat Prevention protection types: the Protections Browser displays protection types, and the guide states that Malicious Activity and Unusual Activity protection types contain lists of protections. UserCheck, however, is not itself a Custom Policy Tools setting. It is a user interaction and notification mechanism configured inside relevant blade/profile settings, such as Anti-Bot or Zero Phishing UserCheck messages. Therefore, among the choices, UserCheck is the item that does not belong as an available Custom Policy Tools setting. Reference topics: Custom Policy Tools, IPS Protections, Indicators, Threat Prevention Profiles, Protections Browser, UserCheck settings.

The correct answer is C. ThreatCloud DNS Tunneling Protection . Check Point R81.20 introduced major Advanced Threat Prevention enhancements, including AI Deep Learning improvements for DNS attacks. The R81.20 Release Notes state that AI Deep Learning prevents more DNS attacks in real time and specifically reference ThreatCloud DNS tunneling protection as part of the DNS Security enhancements.

DNS tunneling protection is distinct from Malware DNS Trap. Malware DNS Trap returns a false or bogus IP address for known malicious hosts and domains, and it can help identify compromised clients by observing connection attempts to the false trap address. That mechanism is represented by option A/B, but it is not the R81.20-introduced DNS protection being tested here. ThreatCloud DNS Tunneling Protection targets a different technique: abuse of DNS as a covert channel for command-and-control, data exfiltration, or tunneling traffic through recursive DNS infrastructure. Option D is unrelated to Check Point DNS Threat Prevention architecture. Reference topics: R81.20 Advanced Threat Prevention, DNS Security, ThreatCloud DNS Tunneling Protection, Malware DNS Trap, Anti-Bot and Anti-Virus DNS protections.

The correct answer is C. Two hours . In R80.20 and later, Check Point supports direct scheduled updates from the Security Gateway for IPS protections, Anti-Virus, and Anti-Bot. The official Threat Prevention Scheduled Updates documentation states that IPS, Anti-Virus and Anti-Bot updates are performed every two hours by default . It also explains the R80.20 architectural change: before R80.20, IPS updates were downloaded to the Security Management Server and enforced by gateways after policy installation; starting from R80.20, gateways can directly download the updates.

The SMS/SG distinction matters operationally. In upgraded or mixed-version environments, scheduled update behavior can depend on whether the Management Server, Security Gateways, or both have been upgraded to R80.20 or higher. Gateways without Internet connectivity still require policy installation to enforce updates. The default interval tested here is the recurring update check for IPS protections in the R80.20+ scheduled-update model, and that interval is two hours. Six hours, twelve hours, and daily are not the documented default for IPS protections in this context. Daily applies to some Threat Emulation update components, not IPS protections. Reference topics: Threat Prevention Scheduled Updates, IPS protection updates, R80.20 direct gateway updates, Security Management Server update behavior, Security Gateway update interval.

The correct answer is B. Prevent . From a performance perspective, the most resource-intensive setting is generally the one that requires the gateway not only to inspect and identify the threat, but also to enforce a blocking decision inline. Prevent mode means the protection is actively applied to traffic and the gateway must make a real-time enforcement decision. Check Point explains that Threat Prevention profiles activate protections based on factors that include the performance impact of the protection , threat severity, confidence level, and blade-specific settings. Check Point’s IPS optimization guidance also warns that some protections require more system resources to inspect traffic and recommends focusing on lower-impact protections when reducing gateway resource use is necessary.

By comparison, Inactive is the least intensive because the protection is not enforced. Detect can log or report detection without blocking, which is useful for staging and troubleshooting. Inspect still consumes inspection resources, but Prevent typically represents the highest operational burden because it performs inline analysis and enforcement, and may require buffering, stream handling, packet modification, or connection termination depending on blade and protocol. In real deployments, the exact resource cost also depends on traffic mix, protocol, file size, SSL inspection, protection complexity, and whether traffic remains accelerated. Reference topics: IPS Profile Settings, protection activation, Prevent versus Detect, Performance Impact, IPS optimization.

The correct answer is B. Reports can be delivered to users who are not Check Point administrators . SmartEvent Views are primarily interactive dashboards used by administrators and analysts for live investigation, drill-down, filtering, and operational analysis. Reports are designed for packaged distribution: they summarize security activity, policy enforcement, trends, and incident data into a consumable format. Check Point documentation states that views and reports can be exported to PDF or CSV using defined filters and time frames. It also documents scheduled report delivery, including the option to send a scheduled view or report automatically by email.

This delivery model is why reports are better suited for executives, auditors, business owners, and non-administrator stakeholders. They do not need SmartConsole access or Check Point administrator privileges to consume a PDF or scheduled email report. Option A describes Views more accurately because views are live and interactive. Option C is incorrect because reports do not inherently have more raw detail than views; they present selected information in a structured format. Option D is incorrect because both views and reports can be customized. Reference topics: SmartEvent Reports, Views and Reports, report scheduling, PDF/CSV export, email delivery, non-administrator reporting.

The correct answer is D. Newly created domains . DGA means Domain Generation Algorithm , a technique used by malware to algorithmically create large numbers of domain names for command-and-control communication. Instead of hardcoding one static C2 domain, a bot can generate many possible domains over time, making takedown and static blocking much harder. Check Point’s Network Security Software Bundles datasheet states that Check Point AI Deep Learning blocks the latest DNS attacks, including Tunneling and Domain Generation Algorithm/DGA , and specifically blocks connections to the newest generation of malicious domains created via DGA.

This explains why the correct exam option is “newly created domains.” Known malicious IP blocking is a reputation and IP intelligence function, but it is not the specific purpose of DGA protection. Infected URLs and infected files are handled by URL reputation, Anti-Virus, Threat Emulation, and related Threat Prevention functions. DGA protection focuses on DNS-layer behavior and suspicious or algorithmically generated domain use, especially when malware attempts to contact rotating or recently generated domains for C2, payload retrieval, or data exfiltration. In operational terms, DGA protection is part of Anti-Bot and Advanced DNS defense, helping detect compromised hosts even when the malware infrastructure changes rapidly. Reference topics: ThreatCloud, DGA Protection, Advanced DNS, Anti-Bot, DNS C2 prevention.

The correct answer is B. Intrusion Prevention System . In Check Point terminology, IPS is the Software Blade responsible for inspecting and analyzing packets and data for numerous risk types. The official Check Point Threat Prevention documentation identifies IPS as Intrusion Prevention System and describes IPS protections as part of the Threat Prevention Software Blade framework.

IPS is more than a simple signature engine. It provides vulnerability-oriented and exploit-oriented protections, including protections mapped to CVEs, protocol anomalies, command injection patterns, server-side attacks, client-side attacks, and other known or unknown exploitation behaviors. Check Point also describes IPS as delivering proactive intrusion prevention with thousands of signatures, behavioral protections, and preemptive protections, adding another layer of security above firewall enforcement.

The incorrect options misuse the term “Invasion” or replace “System” with “Software.” Although IPS is implemented as a Check Point Software Blade, the acronym itself expands to Intrusion Prevention System . In policy design, IPS is treated as a pre-infection prevention capability that stops exploitation before compromise, rather than as a post-infection malware-detection control. Reference topics: IPS Software Blade, Intrusion Prevention System definition, IPS protections, CVE-based protections, proactive intrusion prevention.

The correct answer is D. Correlates Security Gateway logs into easily understandable events . SmartEvent is Check Point’s event-correlation and analysis system. It does not simply generate raw logs; logs are generated by Security Gateways and other Check Point components. SmartEvent consumes those logs, analyzes them against event policies, identifies patterns, and produces higher-level events suitable for investigation, dashboards, reports, and incident workflows. Check Point documentation explains that the SmartEvent Correlation Unit analyzes each log entry from a Log Server, looks for patterns according to the installed Event Policy, and forwards identified events to the SmartEvent Server.

This directly eliminates the distractors. SmartEvent does not run on the Security Gateway as the log-generating enforcement component. It does not generate logs merely so views can be customized; rather, it indexes, correlates, and presents logs and events. It is not principally a Multi-Domain syslog-forwarding tool. Its architectural value is correlation: it transforms large volumes of gateway logs into meaningful security events, reducing analyst workload and enabling threat timelines, reports, executive summaries, and incident management. Reference topics: SmartEvent Architecture, SmartEvent Correlation Unit, Event Policy, Log Server analysis, threat-event correlation.

The correct answer is D. Ordered . Threat Prevention policy uses ordered policy layers. Check Point documentation states that you can create a Threat Prevention Rule Base with multiple Ordered Layers , and that Ordered Layers help organize the Rule Base according to organizational needs, such as services or networks. Each Policy Layer calculates its action separately from other layers, and when there is one layer in the policy package, the first matched rule is enforced.

This is a core certification distinction. Access Control can use ordered and inline layers, but Threat Prevention is treated as an ordered layer policy model. The policy evaluates rules in order and applies the appropriate Threat Prevention profile, blades, protection behavior, and tracking according to rule matching. Option C describes when Threat Prevention is applied in the traffic flow—after Access Control accepts the connection—but it does not answer the question about the layer type. Option A is incorrect because Threat Prevention is not both ordered and inline in this context. Option B is incorrect because inline layers are not the Threat Prevention layer type being tested here. Reference topics: Threat Prevention Policy Layers, Ordered Layers, first-match behavior, policy-layer calculation, Threat Prevention Rule Base.

The correct answer is D. Communicate forensics data collected to Government Agencies . The Forensics tracking option exists to enrich Threat Prevention logs with deeper technical context for analysis and troubleshooting. Check Point documentation states that the Forensics option adds fields to Threat Prevention logs and that the additional information gives a deeper understanding of an attack. The Monitoring Threat Prevention guidance also explains that Advanced Forensics Details can include protocol-specific details for DNS, FTP, SMTP, HTTP, and HTTPS, and that this information is used by Check Point researchers to analyze attacks.

The purpose is security analysis, incident investigation, and support-quality evidence collection, not government reporting. Options A and B accurately describe the function of Forensics tracking. Option C reflects the broader idea that forensic and diagnostic details may include gateway-related technical data for Check Point analysis, depending on configuration and feature behavior. Option D is the false statement because Check Point Threat Prevention Forensics is not defined as a mechanism for transmitting collected forensic data to government agencies. In production, enabling Forensics should be treated as a deliberate logging and privacy decision because it may add protocol and transaction context to logs. Reference topics: Threat Prevention Track Options, Forensics tracking, Advanced Forensics Details, Logs & Monitor, attack analysis.

The correct answer is A. Detect . IPS Staging Mode is designed to introduce newly updated protections safely by observing their effect before enforcing active prevention. Check Point documentation states that when newly updated protections are set to Staging Mode , they remain in staging until the administrator changes their configuration. The default action for protections in staging mode is Detect , and this can be changed manually in the IPS Protections page. The R81.20 guide states the same behavior: newly updated protections in staging mode remain there until changed, and their default action is Detect.

This behavior is important during IPS lifecycle management because new signatures can introduce unexpected matches in production traffic. Detect mode allows the gateway to log and expose what the protection would have matched while avoiding immediate blocking. That gives administrators time to validate logs, tune exceptions, confirm confidence level, and assess business impact before switching to Prevent. Bypass would skip inspection and is not the staging default. None is not the default action. Prevent may be the final desired enforcement state, but staging intentionally avoids immediate prevention until analysis is complete. Reference topics: IPS Updates Policy, Staging Mode, Newly Updated Protections, Detect action, IPS protection rollout.

The correct answer is A. An audit log is a record of actions taken by administrators . In Check Point management architecture, audit logs are different from traffic logs, threat logs, or operating-system event logs. A traffic log records inspected network connections and blade decisions. A threat log records Threat Prevention detections, preventions, packet captures, forensic details, and blade-specific events. An audit log records administrative activity performed in the management environment. The uploaded Check Point glossary material defines an Audit Log as a log that contains administrator actions on a Management Server, including login and logout, creation or modification of an object, and installation of a policy.

This is operationally important because audit logs support accountability and change control. When investigating a policy change, exception addition, blade enablement, profile modification, or installation event, the audit trail shows which administrator performed the action and when it occurred. Option B is incorrect because system event logs are not the same as audit logs. Option C describes a filtered view of logs, not an audit record. Option D is incorrect because gateway system logs are operational logs from enforcement points, while audit logs are management-plane administrative records. Reference topics: Audit Logs, administrator actions, Management Server accountability, policy installation auditing, change tracking.

The correct answer is B. Active Streaming, Passive Streaming, Deep Scanning and Archive Scanning . Anti-Virus scanning in Check Point Threat Prevention uses multiple content-inspection technologies to balance security, performance, and protocol behavior. Check Point Security Gateway documentation identifies the streaming architecture: the MUX layer chooses to work over PSL , the Passive Streaming Layer, or CPAS , Check Point Active Streaming. The Anti-Virus settings documentation also shows Deep Scanning behavior through file-type processing, including Process all file types and Enable deep inspection scanning , with an explicit performance-impact warning. It also describes Archive Scanning, where the Anti-Virus engine unpacks archives and applies proactive heuristics.

This makes option B the only complete answer. “Inspect or Bypass” describes possible handling actions, not scanning technologies. “Active and Passive Scanning” is incomplete because it omits deep inspection and archive handling. “Automatic, Manual, On-Demand, Scheduled” describes update or operational timing concepts, not Anti-Virus scanning engines. In practice, Active/Passive Streaming controls how traffic is handled in the inspection pipeline, Deep Scanning expands the set of file types inspected, and Archive Scanning opens compressed containers to detect malware hidden inside them. Reference topics: Anti-Virus Settings, CPAS, PSL, Deep Inspection Scanning, Archive Scanning.

The correct answer is D. The rule is contained on a single line. There are two logical sections: Rule Header and Rule Options . SNORT signatures are supported in Check Point Threat Prevention as custom IPS-style protections, and their structure follows the standard SNORT rule model. Official Snort documentation states that the rule header includes the text before the first parenthesis, while the body contains the rule options between parentheses. It also shows a complete rule with header and option definitions. The classic Snort rule reference describes the two logical sections as the rule header and rule options .

In the exam wording, the expected construction is a single-line rule composed of these two logical sections. The header defines the coarse traffic selector and action, such as alert/drop, protocol, source, destination, ports, and direction. The options define the detailed detection logic, such as message, content match, flow, metadata, and signature identifier. “Payload” is not the correct formal name for the second logical section, which eliminates options A and C. Option B uses the correct logical sections but incorrectly states that the rule is contained on two lines. Reference topics: SNORT Signature Support, custom IPS protections, Rule Header, Rule Options, signature syntax.

The correct answer is B. 1. Integrated/Standalone and 2. Dedicated Server . SmartEvent is Check Point’s event analysis, correlation, and reporting platform. Official Check Point Logging and Monitoring documentation explains that SmartEvent Server is integrated with the Security Management Server architecture and can communicate with Log Servers to read and analyze logs. It further states that administrators can enable SmartEvent on the Security Management Server or deploy it as a dedicated server . In Multi-Domain environments, Check Point requires SmartEvent on a dedicated server.

This maps directly to the course terminology: integrated or standalone deployment means SmartEvent runs on the existing management architecture, while a dedicated server deployment separates SmartEvent components onto another machine for scale, retention, performance, or Multi-Domain requirements. Option A uses generic distributed language but not the tested Check Point deployment wording. Option C confuses SmartEvent deployment with Threat Prevention enforcement states such as Prevent and Detect. Option D refers to clustering concepts and does not describe SmartEvent deployment models. In production design, dedicated SmartEvent is preferred when log volume is high, reporting is heavily used, or event correlation must not compete with management operations. Reference topics: Deploying SmartEvent, SmartEvent Server, Correlation Unit, Integrated/Standalone deployment, Dedicated SmartEvent Server.

The correct answer is D. Thorough protection . Deep Scanning is selected when the organization wants broader and more complete Anti-Virus inspection, even at the cost of additional processing. Check Point’s Anti-Virus settings documentation shows that administrators can configure file handling to process file types known to contain malware, process specific file-type families, or process all file types . It also states that enabling deep inspection scanning impacts performance.

This is the key tradeoff: Deep Scanning improves protection depth by expanding the set of files and content types subjected to inspection, but it is not the best choice for minimal latency or lowest resource consumption. Options A, B, and C are therefore incorrect because Deep Scanning is not primarily a performance optimization. It can require more CPU, memory, buffering, file classification, and scanning time, especially when paired with archive scanning, HTTPS Inspection, or large file transfers. Its benefit is security completeness: it reduces blind spots by inspecting more file content and providing stronger protection against malware hidden in less common or less obvious file types. Reference topics: Anti-Virus Settings, File Types, Deep Inspection Scanning, process all file types, performance impact, thorough malware protection.