Free Practice Questions for Checkpoint 156-590 Exam

The correct answer is B. The executive reports generally contain abstract information without much technical detail. You have to use Smart Event Threat Prevention Report filtered for last week data . For executive communication, the correct SmartEvent mechanism is a report rather than a raw log export or interactive operational view. Check Point documentation explains that views and reports can be exported to PDF or CSV using defined filters and time frames, and that reports summarize network activity and Security Policy enforcement generated by Check Point products such as SmartEvent.

A CEO-level security-incident briefing should emphasize risk, timeline, impact, affected assets, attack category, prevention outcome, and recommended remediation, without requiring the recipient to interpret raw logs or technical blade details. A Threat Prevention Report filtered for last week provides the appropriate time-bounded summary. Option A is overly manual and uses a view plus CSV/PDF conversion rather than the report mechanism. Option C incorrectly shifts the workflow to SmartLog filtering and an external report generator. Option D uses a view, which is better suited for live or interactive operational analysis by administrators, not executive distribution. Reference topics: SmartEvent Reports, Threat Prevention Report, report time filters, executive reporting, exporting reports.

The correct answer is D. Verify Threat Prevention Blades are performing properly . Benign testing sites are controlled test resources used to validate that the Threat Prevention path is functioning without exposing the organization to real malware or live malicious infrastructure. Check Point documentation includes examples of test events generated by a Security Gateway, including a path named TestAntiBotBlade.html , which demonstrates that test-oriented resources can be used to confirm Anti-Bot/ThreatCloud detection and logging behavior without relying on an actual infection.

The key purpose is operational validation: confirm that the blade is enabled, the gateway can query or use ThreatCloud intelligence, the correct policy is installed, logs are generated, and the expected prevent/detect behavior occurs. Option A is narrower because rulebase reaction may be one part of testing, but the broader goal is to verify blade operation. Option B is also too narrow because SmartEvent visibility depends on logging and event correlation, while the test’s main purpose is not specifically SmartEvent validation. Option C is incorrect because benign testing sites are not used to decide whether real URLs are malicious; they are intentionally safe test endpoints. Reference topics: Threat Prevention blade validation, Anti-Bot test page, ThreatCloud event testing, logging verification, operational health checks.

The correct answer is B. Intrusion Prevention System . In Check Point terminology, IPS is the Software Blade responsible for inspecting and analyzing packets and data for numerous risk types. The official Check Point Threat Prevention documentation identifies IPS as Intrusion Prevention System and describes IPS protections as part of the Threat Prevention Software Blade framework.

IPS is more than a simple signature engine. It provides vulnerability-oriented and exploit-oriented protections, including protections mapped to CVEs, protocol anomalies, command injection patterns, server-side attacks, client-side attacks, and other known or unknown exploitation behaviors. Check Point also describes IPS as delivering proactive intrusion prevention with thousands of signatures, behavioral protections, and preemptive protections, adding another layer of security above firewall enforcement.

The incorrect options misuse the term “Invasion” or replace “System” with “Software.” Although IPS is implemented as a Check Point Software Blade, the acronym itself expands to Intrusion Prevention System . In policy design, IPS is treated as a pre-infection prevention capability that stops exploitation before compromise, rather than as a post-infection malware-detection control. Reference topics: IPS Software Blade, Intrusion Prevention System definition, IPS protections, CVE-based protections, proactive intrusion prevention.

The correct answer is B. Forensics . In Threat Prevention policy tracking, Forensics is the tracking option intended to enrich Threat Prevention logs with additional investigation data. Check Point documentation states that the Forensics option adds fields to the Threat Prevention logs , and that this extra information provides a deeper understanding of an attack. The Monitoring Threat Prevention section further explains that Advanced Forensics Details can appear in logs for supported protocols such as DNS, FTP, SMTP, HTTP, and HTTPS, and that this additional information is used by Check Point researchers to analyze attacks.

This is why Forensics is the correct TAC-oriented tracking choice. Alert is a notification-style tracking action, not a deep forensic enrichment mechanism. SNMP sends a management notification, and User Defined invokes administrator-defined alert handling rather than supplying advanced attack-analysis fields. In operational troubleshooting, Forensics is valuable because it preserves richer evidence around the inspected connection, affected blade, protocol behavior, and detection context. Reference topics: Threat Prevention Policy Track Options, Advanced Forensics Details, Logs & Monitor, TAC escalation analysis.

The correct answer is B. Next Generation Full Protection . Check Point’s documented security subscription package families include NGFW , NGTP , and SNBT/SandBlast . Check Point’s 3600 Security Gateway datasheet explicitly lists NGFW , NGTP , and SNBT (SandBlast) as all-inclusive security package columns. The Network Security Software Bundles datasheet also presents the same package structure: NGFW as the base Next Generation Firewall bundle, NGTP as the Next-Gen Threat Prevention package, and SNBT as the SandBlast package that includes NGTP and adds zero-day protection capabilities.

Therefore, Next Generation Firewall , Next Generation Threat Prevention , and SandBlast are valid Check Point blade bundle names in this context. Next Generation Full Protection is not the documented bundle name. It may sound plausible because it describes a comprehensive security posture, but certification questions require exact product and package terminology. In Check Point licensing and subscription design, using the correct bundle name matters because each package maps to a defined set of Software Blades and subscription entitlements. NGFW provides the base firewall/IPS access-control package, NGTP adds known-threat prevention, and SNBT adds advanced SandBlast zero-day protections such as Threat Emulation, Threat Extraction, and Zero Phishing. Reference topics: Check Point Software Blade bundles, NGFW, NGTP, SNBT/SandBlast, package entitlement mapping.

The correct answer is B. Update Now, Schedule Update, Follow Protections . Check Point IPS protection maintenance includes manual updating, scheduled updating, and a follow-up workflow for newly updated protections. The official IPS Protections documentation explains that administrators can immediately update IPS from Custom Policy Tools > Updates > IPS > Update Now , and that IPS protections can also be updated by configuring a schedule for automatic downloads. It also notes that IPS updates require Threat Prevention Policy installation for enforcement.

The same IPS Protections section describes Follow Up behavior for protections: administrators can mark protections for follow-up, filter on them later, and updated protections can be automatically marked for follow-up so they can be reviewed after update. In the course-question wording, this maps to “Follow Protections.” The purpose is operational control: update now provides immediate package retrieval, scheduled update automates routine maintenance, and follow protections gives administrators a practical workflow to review newly added or changed IPS protections. The other options either use non-standard names or omit the protection-review workflow. Reference topics: IPS Protections, Update Now, Scheduling IPS Updates, Follow Up Protections, Threat Prevention Policy installation.

The correct answer is B. You have to re-install the Threat Prevention policy . Threat Prevention exceptions are policy constructs, so they must be compiled and installed to the relevant Security Gateways before they affect enforcement. Check Point documentation for creating IPS exceptions shows the workflow: create or configure the exception rule, click OK, and then Install Policy . The Custom Threat Prevention guide also explains that Threat Prevention blades have a dedicated Threat Prevention policy and that this policy can be installed separately from Access Control. It explicitly recommends installing only the Threat Prevention policy to minimize performance impact on Security Gateways.

This is why Install Database is not sufficient. Install Database updates management-side objects and databases, but it does not enforce a new Threat Prevention exception on gateways. Installing Access Control policy is also the wrong policy domain because Anti-Virus, Anti-Bot, IPS, Threat Emulation, and Threat Extraction exceptions belong to Threat Prevention. The change is not immediately active because Security Gateways enforce compiled policy, not unpublished or uninstalled SmartConsole changes. Reference topics: Threat Prevention Exceptions, IPS Exceptions, policy installation targets, dedicated Threat Prevention policy, exception enforcement lifecycle.

The correct answer is A. It lets you start over by removing all administrator overrides . Profile Cleanup is a profile-maintenance function used when manual IPS protection changes have accumulated and the administrator wants to return the profile to its intended baseline logic. Check Point’s IPS Protections documentation describes the Profile Cleanup window as offering actions such as Remove all user modified and Clear all staging , followed by installing the Threat Prevention Policy.

This makes the feature a reset and hygiene mechanism, not a rulebase cleanup rule. It removes administrator-level overrides that may have been introduced during tuning, temporary mitigation, testing, exception handling, or staged rollout of protections. Option B is incorrect because Profile Cleanup does not merge settings from several profiles into the Optimized Profile. Option C is incorrect because unmatched traffic handling is controlled by policy/rule behavior, not by Profile Cleanup. Option D is incorrect because protections are not automatically removed based on usage age by this option. The administrative value of Profile Cleanup is control: it lets the security architect re-align a profile with its default or intended activation criteria. Reference topics: IPS Protections, Activation Overrides, Profile Cleanup, Staging, Threat Prevention Policy installation.

The correct answer is A. The CPAS Daemon (cpasd) . In the course-guide context, cpasd is the process associated with Anti-Virus communication toward Check Point ThreatCloud for protection-update and classification purposes. The functional reason is that Anti-Virus file inspection depends on Check Point’s ThreatSpect and ThreatCloud intelligence pipeline. Check Point documentation explains that each Security Gateway has a Malware database and a local cache; when the cache has no answer, it queries the ThreatCloud repository. For Anti-Virus, the signature is sent for file classification.

The ThreatCloud network is dynamically updated and distributes attack information that can convert zero-day attack data into known signatures that Anti-Virus can block. This explains why the communication process matters: AV enforcement is not limited to a static local signature set; it relies on cloud-assisted reputation, classification, and continuously updated intelligence. The distractors do not match this function. RAD is mainly associated with resource categorization and URL/Application intelligence. pslavd is not the ThreatCloud update communication process named in this question. ted belongs to Threat Emulation, not Anti-Virus protection updates. Reference topics: Anti-Virus, CPAS/cpasd, ThreatCloud repository, Malware database, local cache, file classification.

The correct answer is A. zipscn . Archive Scanning is part of the Anti-Virus file-inspection workflow, where compressed archives must be unpacked and inspected before the gateway can make a final malware-prevention decision. Check Point documentation describes Archive Scanning as the configuration area used to define how the ThreatSpect engine unpacks and scans file archives . It also defines controls such as how long archive processing may continue and what action is taken if the maximum scan time is exceeded. In the Threat Prevention Administration Guide, enabling archive scanning is described as an Anti-Virus setting in which the Anti-Virus engine unpacks archives and applies proactive heuristics, with an explicit note that this feature can impact network performance.

The process name associated with this archive-processing function is zipscn . The distractors do not fit the archive-scanning function: psl_dlp and dlpu are associated with DLP/user-space processing contexts, while gzscn_proc is not the named Archive Scanning process for this blade function. Reference topics: Anti-Virus Settings, Archive Scanning, ThreatSpect engine, archive unpacking, proactive heuristics.