156-590 Questions and Answers

The correct answer is D. F2F . Protections with high inspection impact generally require deeper processing that cannot remain fully accelerated in SecureXL. In Check Point performance terminology, F2F means traffic is forwarded from SecureXL to the Firewall path for inspection. Performance tuning documentation describes F2F packets as packets that SecureXL forwarded to the Firewall in the slow path, while accelerated traffic remains in the fast path. Threat Prevention protections, especially high-impact IPS protections, can require deeper packet, stream, or protocol analysis and therefore increase the portion of traffic processed outside full SecureXL acceleration.

Check Point IPS documentation explains that Performance Impact is the measure of how much a protection affects gateway performance and warns that activated protections with higher performance impact can cause connectivity or performance issues. The IPS optimization guidance further explains that some protections require more system resources to inspect traffic and recommends focusing on lower-impact protections when reducing gateway resource use is necessary. SXL is the fully accelerated path, PXL is medium-path inspection with acceleration assistance, and CPASXL relates to active streaming acceleration. High Protection Impact aligns with F2F because the gateway must perform deeper inspection. Reference topics: IPS Performance Impact, SecureXL packet paths, F2F, PXL/SXL, IPS optimization.

The correct answer is B. Next Generation Full Protection . Check Point’s documented security subscription package families include NGFW , NGTP , and SNBT/SandBlast . Check Point’s 3600 Security Gateway datasheet explicitly lists NGFW , NGTP , and SNBT (SandBlast) as all-inclusive security package columns. The Network Security Software Bundles datasheet also presents the same package structure: NGFW as the base Next Generation Firewall bundle, NGTP as the Next-Gen Threat Prevention package, and SNBT as the SandBlast package that includes NGTP and adds zero-day protection capabilities.

Therefore, Next Generation Firewall , Next Generation Threat Prevention , and SandBlast are valid Check Point blade bundle names in this context. Next Generation Full Protection is not the documented bundle name. It may sound plausible because it describes a comprehensive security posture, but certification questions require exact product and package terminology. In Check Point licensing and subscription design, using the correct bundle name matters because each package maps to a defined set of Software Blades and subscription entitlements. NGFW provides the base firewall/IPS access-control package, NGTP adds known-threat prevention, and SNBT adds advanced SandBlast zero-day protections such as Threat Emulation, Threat Extraction, and Zero Phishing. Reference topics: Check Point Software Blade bundles, NGFW, NGTP, SNBT/SandBlast, package entitlement mapping.

The correct answer is A. Block List files - Configure disallowed files . Custom Policy Tools are used to manage Threat Prevention objects and enforcement helpers under the Threat Prevention policy view. A Block List file is used to define files that should be treated as disallowed, blocked, or explicitly malicious/undesired according to the policy objective. This is the opposite of the Allow List, which Check Point documents as a list of trusted files that the Threat Prevention engine does not inspect for malware, viruses, and bots, helping reduce gateway resource utilization. The official guide shows Allow List Files under Threat Prevention > Custom Policy Tools > Allow List Files .

Option A is therefore the correct true statement because it accurately describes the role of block-list file handling. Option B sounds plausible but is not the tested correct statement in this question’s answer key; the course item is specifically validating the Block List definition. Option C is incorrect because indicators are not “benign activity”; indicators usually represent observables such as IPs, domains, URLs, or hashes used for threat intelligence or enforcement. Option D is incorrect because profiles are not only available for Autonomous Threat Prevention; Custom Threat Prevention also uses profiles such as Basic, Optimized, and Strict. Reference topics: Custom Policy Tools, Block List Files, Allow List Files, Indicators, Threat Prevention Profiles.

The correct answer is A. An audit log is a record of actions taken by administrators . In Check Point management architecture, audit logs are different from traffic logs, threat logs, or operating-system event logs. A traffic log records inspected network connections and blade decisions. A threat log records Threat Prevention detections, preventions, packet captures, forensic details, and blade-specific events. An audit log records administrative activity performed in the management environment. The uploaded Check Point glossary material defines an Audit Log as a log that contains administrator actions on a Management Server, including login and logout, creation or modification of an object, and installation of a policy.

This is operationally important because audit logs support accountability and change control. When investigating a policy change, exception addition, blade enablement, profile modification, or installation event, the audit trail shows which administrator performed the action and when it occurred. Option B is incorrect because system event logs are not the same as audit logs. Option C describes a filtered view of logs, not an audit record. Option D is incorrect because gateway system logs are operational logs from enforcement points, while audit logs are management-plane administrative records. Reference topics: Audit Logs, administrator actions, Management Server accountability, policy installation auditing, change tracking.

The correct answer is D. Log . In Check Point Threat Prevention, tracking determines what evidence is generated when a rule or protection matches traffic. The official Logging and Monitoring guide states that Log is the default option in the Threat Prevention policy , and that it shows the information the Security Gateway used to match the connection, including at minimum source, destination, source port, and destination port. It also explains that richer session details can appear when the rule includes application or data-type matching.

For IPS protections, this default is operationally important because IPS enforcement without logs would make post-event investigation, false-positive analysis, tuning, and compliance validation much harder. None is specifically documented as the default in Access Control policy, not Threat Prevention. Alert is a stronger notification mechanism but is not the default tracking behavior. UserCheck is an end-user interaction mechanism used in selected blades and scenarios, not the default IPS protection tracking value. The default Log setting gives administrators visibility into IPS matches while avoiding the operational noise of alerting on every event. Reference topics: Threat Prevention Track options, IPS logging, Logs & Monitor, protection match evidence, default Threat Prevention tracking.

The correct answer is B. Traffic is matched against all applicable layers at the same time . Threat Prevention policy evaluation is not best described as a flat simultaneous match against all applicable layers. Check Point documentation explains that Threat Prevention Policy Layers are Ordered Layers , and that each ordered layer calculates its action separately from the other layers. In a single-layer policy package, the enforced rule is the first matched rule. In multiple-layer policy behavior, matching and enforcement are determined by the layer calculations and the applicable action logic, rather than by one undifferentiated simultaneous match model.

Option A is true because Threat Prevention inspection is applied after the Access Control policy allows the connection; traffic dropped or rejected by Access Control does not proceed to Threat Prevention enforcement. Option C is true for a single Threat Prevention layer because the first matching rule is enforced. Option D is also true because Threat Prevention uses ordered policy-layer behavior. The false statement is therefore option B. Reference topics: Threat Prevention Policy, Ordered Layers, first-match rule behavior, Access Control before Threat Prevention, multi-layer enforcement logic.

The correct answer is D. Inactive . A protection set to Inactive is not enforced for matching traffic, so it does not impose the same inspection and enforcement cost as active protection states. Check Point documentation explains that a Threat Prevention profile determines which protections are activated and which Software Blades are enabled for a rule or policy. The protections a profile activates depend on factors such as performance impact, threat severity, confidence level, and blade-specific settings. Check Point best-practice material also describes that administrators may tune IPS profiles and set protections to prevent , detect , or inactive .

The relative resource logic is direct: Prevent is usually the most expensive because the gateway must inspect and enforce a blocking action inline. Inspect and Detect still require traffic analysis and matching logic, even if the final result is logging rather than prevention. Inactive removes the protection from enforcement consideration, making it the lowest resource option. This does not mean administrators should disable protections indiscriminately; Inactive should be used only when justified by risk, false-positive analysis, performance tuning, or compensating controls. Reference topics: IPS profile tuning, activation settings, performance impact, Prevent/Detect/Inactive behavior, Threat Prevention optimization.

The correct answer is A. It lets you start over by removing all administrator overrides . Profile Cleanup is a profile-maintenance function used when manual IPS protection changes have accumulated and the administrator wants to return the profile to its intended baseline logic. Check Point’s IPS Protections documentation describes the Profile Cleanup window as offering actions such as Remove all user modified and Clear all staging , followed by installing the Threat Prevention Policy.

This makes the feature a reset and hygiene mechanism, not a rulebase cleanup rule. It removes administrator-level overrides that may have been introduced during tuning, temporary mitigation, testing, exception handling, or staged rollout of protections. Option B is incorrect because Profile Cleanup does not merge settings from several profiles into the Optimized Profile. Option C is incorrect because unmatched traffic handling is controlled by policy/rule behavior, not by Profile Cleanup. Option D is incorrect because protections are not automatically removed based on usage age by this option. The administrative value of Profile Cleanup is control: it lets the security architect re-align a profile with its default or intended activation criteria. Reference topics: IPS Protections, Activation Overrides, Profile Cleanup, Staging, Threat Prevention Policy installation.

The correct answer is D. fwaccel dos rate . When IPS or other Threat Prevention inspection causes significant traffic to leave the fully accelerated SecureXL path and move to F2F, the gateway can experience higher CPU utilization because more packets require Firewall kernel processing. The fwaccel dos rate command belongs to SecureXL DoS and rate-limiting controls. Check Point’s Performance Tuning guide defines fwaccel dos rate and fwaccel6 dos rate as commands that show and install the Rate Limiting policy in SecureXL. It also notes that the feature is enabled by default without rules.

This makes it the correct command for enforcing traffic quotas or rate-limiting policy in the accelerated path. fw dos rate is not the correct Check Point syntax. fwaccel rate omits the DoS rate-limiting command hierarchy. fw ctl dos is also not the documented command for SecureXL rate policy installation. In operational performance tuning, fwaccel DoS rate controls are useful when the gateway must protect CPU resources from excessive connection rates, volumetric pressure, or inspection-heavy flows that can amplify the impact of Threat Prevention processing. Reference topics: SecureXL DoS Mitigation, Rate Limiting Policy, fwaccel dos rate, F2F path, IPS performance impact.

The correct answer is D. Newly created domains . DGA means Domain Generation Algorithm , a technique used by malware to algorithmically create large numbers of domain names for command-and-control communication. Instead of hardcoding one static C2 domain, a bot can generate many possible domains over time, making takedown and static blocking much harder. Check Point’s Network Security Software Bundles datasheet states that Check Point AI Deep Learning blocks the latest DNS attacks, including Tunneling and Domain Generation Algorithm/DGA , and specifically blocks connections to the newest generation of malicious domains created via DGA.

This explains why the correct exam option is “newly created domains.” Known malicious IP blocking is a reputation and IP intelligence function, but it is not the specific purpose of DGA protection. Infected URLs and infected files are handled by URL reputation, Anti-Virus, Threat Emulation, and related Threat Prevention functions. DGA protection focuses on DNS-layer behavior and suspicious or algorithmically generated domain use, especially when malware attempts to contact rotating or recently generated domains for C2, payload retrieval, or data exfiltration. In operational terms, DGA protection is part of Anti-Bot and Advanced DNS defense, helping detect compromised hosts even when the malware infrastructure changes rapidly. Reference topics: ThreatCloud, DGA Protection, Advanced DNS, Anti-Bot, DNS C2 prevention.

The correct official-guide answer is B. Install the Threat Prevention Policy . IPS protections can be updated manually or by schedule, and Check Point documentation states that IPS can be updated with real-time information on attacks and the latest protections. However, the same official section explicitly notes that to enforce the IPS updates, you must install the Threat Prevention Policy . The documented update procedure also ends with installing the Threat Prevention Policy after selecting the IPS update method.

This distinction is important: downloading or updating the IPS package makes the updated protections available to management and policy logic, but enforcement on Security Gateways depends on policy installation. “Install Database” is not the correct enforcement step for gateway inspection. Installing the Access Control Policy is also incorrect because IPS ThreatCloud protections are part of the Threat Prevention policy framework, not the Access Control rulebase. The statement that changes are immediately active is not the current official behavior for enforcing IPS updates on gateways. In production operations, scheduled IPS updates may be paired with automatic Threat Prevention policy installation, but that still confirms the requirement: the policy must be installed for enforcement. Reference topics: Updating IPS Protections, Threat Prevention Policy installation, IPS update enforcement, scheduled updates.

The correct answer is B. Post-infection . Anti-Bot is the Threat Prevention blade focused on identifying and stopping bot-infected hosts after compromise indicators appear. Check Point documentation explicitly describes Anti-Bot as performing post-infection detection of bots on hosts and preventing bot damage by blocking command-and-control communications. The broader Threat Prevention guide also lists Anti-Bot as post-infection detection and explains that it uses ThreatCloud intelligence and multiple detection methods to identify bot activity.

This differs from IPS and Anti-Virus positioning. IPS and Anti-Virus are commonly understood as pre-infection controls because they attempt to block exploit traffic or malicious files before the host is compromised. Anti-Bot, by contrast, assumes the possibility that a host may already be infected and focuses on detecting outbound C & C communication, botnet behavior, malicious destinations, and other compromise evidence. Pre-inspection and post-inspection are not valid lifecycle categories for this blade in the exam context. In real operations, Anti-Bot is especially valuable for finding infected internal machines that bypassed earlier preventive controls or became infected off-network. Reference topics: Anti-Bot Software Blade, post-infection detection, Command and Control prevention, ThreatCloud intelligence, botnet behavior detection.

The correct answer is C. Two hours . In R80.20 and later, Check Point supports direct scheduled updates from the Security Gateway for IPS protections, Anti-Virus, and Anti-Bot. The official Threat Prevention Scheduled Updates documentation states that IPS, Anti-Virus and Anti-Bot updates are performed every two hours by default . It also explains the R80.20 architectural change: before R80.20, IPS updates were downloaded to the Security Management Server and enforced by gateways after policy installation; starting from R80.20, gateways can directly download the updates.

The SMS/SG distinction matters operationally. In upgraded or mixed-version environments, scheduled update behavior can depend on whether the Management Server, Security Gateways, or both have been upgraded to R80.20 or higher. Gateways without Internet connectivity still require policy installation to enforce updates. The default interval tested here is the recurring update check for IPS protections in the R80.20+ scheduled-update model, and that interval is two hours. Six hours, twelve hours, and daily are not the documented default for IPS protections in this context. Daily applies to some Threat Emulation update components, not IPS protections. Reference topics: Threat Prevention Scheduled Updates, IPS protection updates, R80.20 direct gateway updates, Security Management Server update behavior, Security Gateway update interval.

The correct answer is A. zipscn . Archive Scanning is part of the Anti-Virus file-inspection workflow, where compressed archives must be unpacked and inspected before the gateway can make a final malware-prevention decision. Check Point documentation describes Archive Scanning as the configuration area used to define how the ThreatSpect engine unpacks and scans file archives . It also defines controls such as how long archive processing may continue and what action is taken if the maximum scan time is exceeded. In the Threat Prevention Administration Guide, enabling archive scanning is described as an Anti-Virus setting in which the Anti-Virus engine unpacks archives and applies proactive heuristics, with an explicit note that this feature can impact network performance.

The process name associated with this archive-processing function is zipscn . The distractors do not fit the archive-scanning function: psl_dlp and dlpu are associated with DLP/user-space processing contexts, while gzscn_proc is not the named Archive Scanning process for this blade function. Reference topics: Anti-Virus Settings, Archive Scanning, ThreatSpect engine, archive unpacking, proactive heuristics.

The correct answer is D. Ordered . Threat Prevention policy uses ordered policy layers. Check Point documentation states that you can create a Threat Prevention Rule Base with multiple Ordered Layers , and that Ordered Layers help organize the Rule Base according to organizational needs, such as services or networks. Each Policy Layer calculates its action separately from other layers, and when there is one layer in the policy package, the first matched rule is enforced.

This is a core certification distinction. Access Control can use ordered and inline layers, but Threat Prevention is treated as an ordered layer policy model. The policy evaluates rules in order and applies the appropriate Threat Prevention profile, blades, protection behavior, and tracking according to rule matching. Option C describes when Threat Prevention is applied in the traffic flow—after Access Control accepts the connection—but it does not answer the question about the layer type. Option A is incorrect because Threat Prevention is not both ordered and inline in this context. Option B is incorrect because inline layers are not the Threat Prevention layer type being tested here. Reference topics: Threat Prevention Policy Layers, Ordered Layers, first-match behavior, policy-layer calculation, Threat Prevention Rule Base.

The correct answer is B. Prevent . From a performance perspective, the most resource-intensive setting is generally the one that requires the gateway not only to inspect and identify the threat, but also to enforce a blocking decision inline. Prevent mode means the protection is actively applied to traffic and the gateway must make a real-time enforcement decision. Check Point explains that Threat Prevention profiles activate protections based on factors that include the performance impact of the protection , threat severity, confidence level, and blade-specific settings. Check Point’s IPS optimization guidance also warns that some protections require more system resources to inspect traffic and recommends focusing on lower-impact protections when reducing gateway resource use is necessary.

By comparison, Inactive is the least intensive because the protection is not enforced. Detect can log or report detection without blocking, which is useful for staging and troubleshooting. Inspect still consumes inspection resources, but Prevent typically represents the highest operational burden because it performs inline analysis and enforcement, and may require buffering, stream handling, packet modification, or connection termination depending on blade and protocol. In real deployments, the exact resource cost also depends on traffic mix, protocol, file size, SSL inspection, protection complexity, and whether traffic remains accelerated. Reference topics: IPS Profile Settings, protection activation, Prevent versus Detect, Performance Impact, IPS optimization.

The correct answer is C. Pre-infection . IPS is primarily a pre-infection protection because it is designed to stop exploitation attempts before the target host is compromised. Check Point describes its Threat Prevention solution as a multi-layered defense with both pre-infection and post-infection protections. Within that framework, IPS is the blade that delivers proactive intrusion prevention through signatures, behavioral protections, and preemptive protections, adding protection on top of Firewall enforcement.

This differs from Anti-Bot, which is classically post-infection because it detects infected hosts communicating with command-and-control infrastructure. IPS focuses earlier in the attack chain: reconnaissance, vulnerability exploitation, protocol violations, malicious payload delivery, and attempts to abuse exposed client or server software. It inspects packets and data for risks before successful exploitation results in malware installation, unauthorized access, or control of the system. “Post-inspection” and “pre-inspection” are not the correct lifecycle categories for IPS in Check Point certification terminology. “Post-infection” belongs more naturally to Anti-Bot and compromised-host detection. Reference topics: Threat Prevention Solution, IPS Software Blade, pre-infection defense, proactive intrusion prevention, exploit prevention.