CheckPoint Check Point Certified Threat Prevention Specialist Exam 156-590 CTPS Exam Questions

Page: 1 / 14
Total 75 questions
Question 1

What is the purpose of the Profile Cleanup option?



Answer : A

The correct answer is A. It lets you start over by removing all administrator overrides. Profile Cleanup is a profile-maintenance function used when manual IPS protection changes have accumulated and the administrator wants to return the profile to its intended baseline logic. Check Point's IPS Protections documentation describes the Profile Cleanup window as offering actions such as Remove all user modified and Clear all staging, followed by installing the Threat Prevention Policy.

This makes the feature a reset and hygiene mechanism, not a rulebase cleanup rule. It removes administrator-level overrides that may have been introduced during tuning, temporary mitigation, testing, exception handling, or staged rollout of protections. Option B is incorrect because Profile Cleanup does not merge settings from several profiles into the Optimized Profile. Option C is incorrect because unmatched traffic handling is controlled by policy/rule behavior, not by Profile Cleanup. Option D is incorrect because protections are not automatically removed based on usage age by this option. The administrative value of Profile Cleanup is control: it lets the security architect re-align a profile with its default or intended activation criteria. Reference topics: IPS Protections, Activation Overrides, Profile Cleanup, Staging, Threat Prevention Policy installation.


Question 2

What is the main purpose of IPS Implied Exceptions?



Answer : C

The correct answer is C. This feature is to prevent IPS Enforcement to interfere with important Security Gateway operations, such as Control Connections. IPS Implied Exceptions are designed as safeguard exceptions for traffic that is necessary for the Security Gateway, management, or Check Point infrastructure to operate correctly. The purpose is not to define general unmatched-traffic behavior. Instead, they prevent IPS enforcement from disrupting essential control-plane and gateway-related communications. Check Point's Threat Prevention exception documentation shows that IPS exceptions are a formal part of policy tuning and that exception changes are enforced through policy installation.

The operational logic is straightforward: IPS protections can be aggressive, and some protections inspect protocol behavior that may resemble attack traffic. If critical control connections, management channels, clustering traffic, or internal gateway operations were treated exactly like ordinary data-plane traffic, IPS could interfere with the stability of the platform. Implied Exceptions provide a built-in safety layer to avoid that outcome. Options A, B, and D incorrectly describe rulebase cleanup behavior or layer absence behavior. Those concerns are handled by policy structure, ordered layers, and default/cleanup behavior, not by IPS Implied Exceptions. Reference topics: IPS Exceptions, Implied IPS Exceptions, control connections, gateway operations, exception rule policy installation.


Question 3

What does ThreatCloud DGA Protection defend against?



Answer : D

The correct answer is D. Newly created domains. DGA means Domain Generation Algorithm, a technique used by malware to algorithmically create large numbers of domain names for command-and-control communication. Instead of hardcoding one static C2 domain, a bot can generate many possible domains over time, making takedown and static blocking much harder. Check Point's Network Security Software Bundles datasheet states that Check Point AI Deep Learning blocks the latest DNS attacks, including Tunneling and Domain Generation Algorithm/DGA, and specifically blocks connections to the newest generation of malicious domains created via DGA.

This explains why the correct exam option is ''newly created domains.'' Known malicious IP blocking is a reputation and IP intelligence function, but it is not the specific purpose of DGA protection. Infected URLs and infected files are handled by URL reputation, Anti-Virus, Threat Emulation, and related Threat Prevention functions. DGA protection focuses on DNS-layer behavior and suspicious or algorithmically generated domain use, especially when malware attempts to contact rotating or recently generated domains for C2, payload retrieval, or data exfiltration. In operational terms, DGA protection is part of Anti-Bot and Advanced DNS defense, helping detect compromised hosts even when the malware infrastructure changes rapidly. Reference topics: ThreatCloud, DGA Protection, Advanced DNS, Anti-Bot, DNS C2 prevention.


Question 4

What are the common features included in the NGFW, NGTP and SNBT packages, respectively?



Answer : B

The correct answer is B. Firewall, Identity Awareness, Content Awareness, and IPS. The question asks for features common across the NGFW, NGTP, and SNBT package families. Check Point's Network Security Software Bundles datasheet shows that Firewall, Identity Awareness, Content Awareness, and IPS are included across NGFW, NGTP, and SNBT. The same table also shows Application Control and several other capabilities, but among the listed answers, option B is the one whose components are common to all three package columns.

The package progression is important. NGFW is the base next-generation firewall bundle and includes core access-control and IPS capability. NGTP includes NGFW capabilities and adds prevention features such as Anti-Virus, Anti-Bot, URL Filtering, and DNS Security. SNBT, or SandBlast, includes NGTP and adds advanced zero-day protections such as Threat Emulation, Threat Extraction, and Zero Phishing. Therefore, answers containing Anti-Virus, Anti-Bot, or Threat Emulation are not ''common'' to all three packages. Anti-Virus and Anti-Bot are not part of the base NGFW package in the table, and Threat Emulation is specific to SNBT. Reference topics: Check Point Security Gateway Software Bundles, NGFW, NGTP, SNBT, IPS, Identity Awareness, Content Awareness.


Question 5

What is the maximum number of patterns/observables are supported in R81.20 IOC Files?



Answer : B

The correct answer for the uploaded course-question set is B. 1 Million. IOC files are used to import indicators of compromise so that the gateway can match known malicious or suspicious observables such as domains, URLs, IP addresses, and file hashes. In the Threat Prevention architecture, these indicators complement ThreatCloud intelligence by letting administrators add organization-specific or third-party intelligence into enforcement. The key certification point in this question is scale: R81.20 IOC Files are tested with a maximum of 1 million patterns or observables in this exam context.

Operationally, this limit matters because large IOC files affect memory use, update processing, compilation time, and gateway enforcement behavior. Architects should avoid treating IOC ingestion as unlimited; feeds must be curated, deduplicated, normalized, and prioritized. The current public R81.20 release documentation distinguishes expanded IoC feed scale and states that IoC feeds can support significantly more observables on XFS systems, while EXT3 has a lower limit. For this specific question wording, however, the answer key's ''IOC Files'' limit is 1 Million, while later Custom Threat Indicators and external-feed capacities are treated separately in related questions. Reference topics: IOC Files, Threat Indicators, R81.20 Threat Prevention, observable limits, feed sizing and gateway resource planning.


Question 6

What happens to traffic that matches the Access Control Policy but not the Threat Prevention Policy?



Answer : D

The correct answer is D. The traffic is not dropped. It is simply not inspected by the Threat Prevention Engine. Access Control and Threat Prevention are separate enforcement stages. The Access Control policy first decides whether the connection is allowed, rejected, or dropped. If Access Control accepts the connection, Threat Prevention is then applied only if the connection matches a Threat Prevention rule and therefore receives a Threat Prevention profile. Check Point documentation describes Threat Prevention policy as the mechanism used to activate only the protections needed and prevent attacks that most threaten the network. It also explains that Threat Prevention policy layers calculate their action separately and that in a single layer, the first matched rule is enforced.

Therefore, if accepted traffic does not match the Threat Prevention rulebase, no Threat Prevention profile is selected for that connection. The traffic is not blocked merely because of the non-match; it passes according to the Access Control decision, but without Threat Prevention inspection. Option A is too aggressive and incorrect. Option B incorrectly assumes logging. Option C is directionally true but incomplete because the key point is that Threat Prevention inspection is not applied. Reference topics: Access Control before Threat Prevention, Threat Prevention Rule Base, profile selection, unmatched traffic, ordered layer evaluation.


Question 7

Which process is responsible for communication with the Check Point ThreatCloud for the sake of Anti-Virus Protection Update?



Answer : A

The correct answer is A. The CPAS Daemon (cpasd). In the course-guide context, cpasd is the process associated with Anti-Virus communication toward Check Point ThreatCloud for protection-update and classification purposes. The functional reason is that Anti-Virus file inspection depends on Check Point's ThreatSpect and ThreatCloud intelligence pipeline. Check Point documentation explains that each Security Gateway has a Malware database and a local cache; when the cache has no answer, it queries the ThreatCloud repository. For Anti-Virus, the signature is sent for file classification.

The ThreatCloud network is dynamically updated and distributes attack information that can convert zero-day attack data into known signatures that Anti-Virus can block. This explains why the communication process matters: AV enforcement is not limited to a static local signature set; it relies on cloud-assisted reputation, classification, and continuously updated intelligence. The distractors do not match this function. RAD is mainly associated with resource categorization and URL/Application intelligence. pslavd is not the ThreatCloud update communication process named in this question. ted belongs to Threat Emulation, not Anti-Virus protection updates. Reference topics: Anti-Virus, CPAS/cpasd, ThreatCloud repository, Malware database, local cache, file classification.


Page:    1 / 14   
Total 75 questions