CheckPoint Check Point Certified Threat Prevention Specialist Exam 156-590 CTPS Exam Questions

Answer : A

The correct answer is A. An audit log is a record of actions taken by administrators. In Check Point management architecture, audit logs are different from traffic logs, threat logs, or operating-system event logs. A traffic log records inspected network connections and blade decisions. A threat log records Threat Prevention detections, preventions, packet captures, forensic details, and blade-specific events. An audit log records administrative activity performed in the management environment. The uploaded Check Point glossary material defines an Audit Log as a log that contains administrator actions on a Management Server, including login and logout, creation or modification of an object, and installation of a policy.

This is operationally important because audit logs support accountability and change control. When investigating a policy change, exception addition, blade enablement, profile modification, or installation event, the audit trail shows which administrator performed the action and when it occurred. Option B is incorrect because system event logs are not the same as audit logs. Option C describes a filtered view of logs, not an audit record. Option D is incorrect because gateway system logs are operational logs from enforcement points, while audit logs are management-plane administrative records. Reference topics: Audit Logs, administrator actions, Management Server accountability, policy installation auditing, change tracking.

Answer : B

The correct answer is B. You can check the percentage of F2F connections along with the reason why those connections could not be accelerated. The command fwaccel stats is part of SecureXL performance analysis. It is used to inspect how traffic is distributed across acceleration paths and firewall paths, which is essential when Threat Prevention blades or deep inspection features push traffic away from full acceleration. Check Point's Performance Tuning documentation shows that fwaccel stats -s provides a summary including accelerated packets, F2Fed packets, F2V packets, CPASXL packets, PSLXL packets, and related totals.

The same documentation explains that F2F packets are packets SecureXL forwarded to the Firewall kernel in the slow path. This makes the command directly useful when diagnosing performance issues caused by non-accelerated inspection, SecureXL violations, or traffic that must be inspected by firewall and Threat Prevention components. Option A is wrong because fwaccel stats does not enable QoS acceleration. Option C is too generic; the command is not merely utilization monitoring. Option D better describes fwaccel stat, which reports SecureXL status, accelerated interfaces, and accelerated features. Reference topics: SecureXL, fwaccel stats, F2F packets, accelerated path, firewall path, performance troubleshooting.

Answer : B

The correct answer is B. fail-close. Fail mode defines how the Threat Prevention inspection engine behaves when it is overloaded or experiences an internal failure. Check Point's Threat Prevention Engine Settings documentation defines two options: Allow all connections (Fail-open) and Block all connections (Fail-close). Fail-open allows connections when the engine is overloaded or fails; Fail-close blocks connections in that condition.

Because the question specifically says Mike wants to block all files if an internal failure occurs, the secure choice is fail-close. This prioritizes protection and containment over availability. It is appropriate where allowing unscanned files would be unacceptable, such as highly regulated environments, malware-sensitive segments, or traffic paths carrying untrusted downloads. The tradeoff is operational: fail-close can interrupt business traffic if the inspection engine is unavailable, overloaded, or unable to complete the decision. Fail-open is the default availability-oriented behavior because it keeps traffic moving during failure, but it permits files or connections that may not have completed inspection. ''Open system'' and ''closed system'' are not the correct Check Point Threat Prevention fail-mode terms in this context. Reference topics: Threat Prevention Engine Settings, ThreatSpect fail mode, fail-open, fail-close, inspection failure handling.

Answer : A

The correct answer is A. It lets you start over by removing all administrator overrides. Profile Cleanup is a profile-maintenance function used when manual IPS protection changes have accumulated and the administrator wants to return the profile to its intended baseline logic. Check Point's IPS Protections documentation describes the Profile Cleanup window as offering actions such as Remove all user modified and Clear all staging, followed by installing the Threat Prevention Policy.

This makes the feature a reset and hygiene mechanism, not a rulebase cleanup rule. It removes administrator-level overrides that may have been introduced during tuning, temporary mitigation, testing, exception handling, or staged rollout of protections. Option B is incorrect because Profile Cleanup does not merge settings from several profiles into the Optimized Profile. Option C is incorrect because unmatched traffic handling is controlled by policy/rule behavior, not by Profile Cleanup. Option D is incorrect because protections are not automatically removed based on usage age by this option. The administrative value of Profile Cleanup is control: it lets the security architect re-align a profile with its default or intended activation criteria. Reference topics: IPS Protections, Activation Overrides, Profile Cleanup, Staging, Threat Prevention Policy installation.

Answer : C

The correct answer is C. Two hours. In R80.20 and later, Check Point supports direct scheduled updates from the Security Gateway for IPS protections, Anti-Virus, and Anti-Bot. The official Threat Prevention Scheduled Updates documentation states that IPS, Anti-Virus and Anti-Bot updates are performed every two hours by default. It also explains the R80.20 architectural change: before R80.20, IPS updates were downloaded to the Security Management Server and enforced by gateways after policy installation; starting from R80.20, gateways can directly download the updates.

The SMS/SG distinction matters operationally. In upgraded or mixed-version environments, scheduled update behavior can depend on whether the Management Server, Security Gateways, or both have been upgraded to R80.20 or higher. Gateways without Internet connectivity still require policy installation to enforce updates. The default interval tested here is the recurring update check for IPS protections in the R80.20+ scheduled-update model, and that interval is two hours. Six hours, twelve hours, and daily are not the documented default for IPS protections in this context. Daily applies to some Threat Emulation update components, not IPS protections. Reference topics: Threat Prevention Scheduled Updates, IPS protection updates, R80.20 direct gateway updates, Security Management Server update behavior, Security Gateway update interval.

Answer : D

The correct answer is D. IPS, Antivirus and Antibot. Threat Prevention updates can be scheduled automatically, but administrators can also manually trigger updates for the major signature/intelligence-driven Threat Prevention blades. Check Point's scheduled-update documentation states that automatic gateway updates can be configured for Anti-Virus, Anti-Bot, Threat Emulation, and IPS blades. It also explains that Anti-Virus, Anti-Bot, and Threat Emulation gateways download updates directly from the Check Point cloud, while IPS update behavior changed from management-based enforcement before R80.20 to gateway direct download starting in R80.20.

In the exam context, the manually triggered signature-update set is IPS, Anti-Virus, and Anti-Bot. These blades depend heavily on continuously updated threat intelligence, signatures, malicious domains, command-and-control intelligence, malware classification, and IPS protection packages. Option B is too narrow because IPS is not the only manually updateable Threat Prevention component. Option C is incomplete because it omits Anti-Bot. Option A is not a valid update-set answer. Operationally, manual updates are used when an urgent threat advisory, lab recommendation, incident response condition, or failed scheduled update requires immediate refresh of protection data. Reference topics: Threat Prevention Updates, IPS Updates, Anti-Virus Updates, Anti-Bot Updates, scheduled and manual update workflow.

Answer : D

The correct answer is D. 2 million. In R81.20, Check Point expanded the supported scale for custom threat intelligence observables. The R81.20 Threat Prevention Administration Guide states that, starting from R81.20, the Security Gateway supports at least 2 million patterns/observables for URL, Domain, IP address, and Hash observable types. It also notes that the maximum number is limited by available memory and disk space on the Security Gateway, and that the gateway checks whether 50% of total memory is free before loading more patterns or observables.

This capability applies to Custom Intelligence Feeds, which let administrators fetch feeds from third-party servers directly to the Security Gateway for enforcement by Anti-Virus, Anti-Bot, and IPS blades. The feature reduces operational overhead by allowing external indicators to be managed and monitored through the Threat Prevention enforcement path. The incorrect options either understate or overstate the documented baseline. ''Unlimited'' is also incorrect because Check Point explicitly ties the upper boundary to memory and disk capacity. Reference topics: Custom Threat Indicators, External IoC Feeds, Custom Intelligence Feeds, observable scale, R81.20 Threat Prevention, URL/domain/IP/hash indicators.