Free Practice Questions for Checkpoint 156-590 Exam

The correct answer is C. ThreatCloud DNS Tunneling Protection . Check Point R81.20 introduced major Advanced Threat Prevention enhancements, including AI Deep Learning improvements for DNS attacks. The R81.20 Release Notes state that AI Deep Learning prevents more DNS attacks in real time and specifically reference ThreatCloud DNS tunneling protection as part of the DNS Security enhancements.

DNS tunneling protection is distinct from Malware DNS Trap. Malware DNS Trap returns a false or bogus IP address for known malicious hosts and domains, and it can help identify compromised clients by observing connection attempts to the false trap address. That mechanism is represented by option A/B, but it is not the R81.20-introduced DNS protection being tested here. ThreatCloud DNS Tunneling Protection targets a different technique: abuse of DNS as a covert channel for command-and-control, data exfiltration, or tunneling traffic through recursive DNS infrastructure. Option D is unrelated to Check Point DNS Threat Prevention architecture. Reference topics: R81.20 Advanced Threat Prevention, DNS Security, ThreatCloud DNS Tunneling Protection, Malware DNS Trap, Anti-Bot and Anti-Virus DNS protections.

The correct answer is D. The rule is contained on a single line. There are two logical sections: Rule Header and Rule Options . SNORT signatures are supported in Check Point Threat Prevention as custom IPS-style protections, and their structure follows the standard SNORT rule model. Official Snort documentation states that the rule header includes the text before the first parenthesis, while the body contains the rule options between parentheses. It also shows a complete rule with header and option definitions. The classic Snort rule reference describes the two logical sections as the rule header and rule options .

In the exam wording, the expected construction is a single-line rule composed of these two logical sections. The header defines the coarse traffic selector and action, such as alert/drop, protocol, source, destination, ports, and direction. The options define the detailed detection logic, such as message, content match, flow, metadata, and signature identifier. “Payload” is not the correct formal name for the second logical section, which eliminates options A and C. Option B uses the correct logical sections but incorrectly states that the rule is contained on two lines. Reference topics: SNORT Signature Support, custom IPS protections, Rule Header, Rule Options, signature syntax.

The correct answer is C. Two hours . In R80.20 and later, Check Point supports direct scheduled updates from the Security Gateway for IPS protections, Anti-Virus, and Anti-Bot. The official Threat Prevention Scheduled Updates documentation states that IPS, Anti-Virus and Anti-Bot updates are performed every two hours by default . It also explains the R80.20 architectural change: before R80.20, IPS updates were downloaded to the Security Management Server and enforced by gateways after policy installation; starting from R80.20, gateways can directly download the updates.

The SMS/SG distinction matters operationally. In upgraded or mixed-version environments, scheduled update behavior can depend on whether the Management Server, Security Gateways, or both have been upgraded to R80.20 or higher. Gateways without Internet connectivity still require policy installation to enforce updates. The default interval tested here is the recurring update check for IPS protections in the R80.20+ scheduled-update model, and that interval is two hours. Six hours, twelve hours, and daily are not the documented default for IPS protections in this context. Daily applies to some Threat Emulation update components, not IPS protections. Reference topics: Threat Prevention Scheduled Updates, IPS protection updates, R80.20 direct gateway updates, Security Management Server update behavior, Security Gateway update interval.

The correct answer is B. You can check the percentage of F2F connections along with the reason why those connections could not be accelerated . The command fwaccel stats is part of SecureXL performance analysis. It is used to inspect how traffic is distributed across acceleration paths and firewall paths, which is essential when Threat Prevention blades or deep inspection features push traffic away from full acceleration. Check Point’s Performance Tuning documentation shows that fwaccel stats -s provides a summary including accelerated packets, F2Fed packets, F2V packets, CPASXL packets, PSLXL packets, and related totals.

The same documentation explains that F2F packets are packets SecureXL forwarded to the Firewall kernel in the slow path. This makes the command directly useful when diagnosing performance issues caused by non-accelerated inspection, SecureXL violations, or traffic that must be inspected by firewall and Threat Prevention components. Option A is wrong because fwaccel stats does not enable QoS acceleration. Option C is too generic; the command is not merely utilization monitoring. Option D better describes fwaccel stat , which reports SecureXL status, accelerated interfaces, and accelerated features. Reference topics: SecureXL, fwaccel stats, F2F packets, accelerated path, firewall path, performance troubleshooting.

The correct answer is B. fail-close . Fail mode defines how the Threat Prevention inspection engine behaves when it is overloaded or experiences an internal failure. Check Point’s Threat Prevention Engine Settings documentation defines two options: Allow all connections (Fail-open) and Block all connections (Fail-close) . Fail-open allows connections when the engine is overloaded or fails; Fail-close blocks connections in that condition.

Because the question specifically says Mike wants to block all files if an internal failure occurs, the secure choice is fail-close. This prioritizes protection and containment over availability. It is appropriate where allowing unscanned files would be unacceptable, such as highly regulated environments, malware-sensitive segments, or traffic paths carrying untrusted downloads. The tradeoff is operational: fail-close can interrupt business traffic if the inspection engine is unavailable, overloaded, or unable to complete the decision. Fail-open is the default availability-oriented behavior because it keeps traffic moving during failure, but it permits files or connections that may not have completed inspection. “Open system” and “closed system” are not the correct Check Point Threat Prevention fail-mode terms in this context. Reference topics: Threat Prevention Engine Settings, ThreatSpect fail mode, fail-open, fail-close, inspection failure handling.

The correct answer is B. Removes all Administrator overrides . Profile Cleanup is a Threat Prevention profile hygiene tool used mainly in IPS protection management. When administrators manually override protections during tuning, exception handling, false-positive analysis, emergency hardening, or staged deployment, those manual changes can accumulate and cause the profile to deviate from its intended design. Check Point’s IPS Protections documentation states that the Profile Cleanup window lets the administrator select actions such as Remove all user modified and Clear all staging , then install the Threat Prevention Policy.

This directly maps to removing administrator overrides. The option does not automatically set all protections to Detect only; Detect is an action used in specific protection or staging contexts, not the purpose of Profile Cleanup. It also does not delete exemptions, because exception rules are separate policy constructs. It does not repair or remove corrupt updates; IPS update package handling is managed through the update and revert workflow. Profile Cleanup is best understood as a reset mechanism: it clears manual activation or staging deviations so the profile can return to its baseline activation policy and blade settings. Reference topics: IPS Protections, Profile Cleanup, Remove all user modified, Clear all staging, Threat Prevention Policy installation.

The correct answer is C. External . Anti-Virus protected scope settings define which traffic direction and interface types are sent for file inspection. Check Point explains that these settings are based on interface type, such as internal or external, and traffic direction, such as incoming or outgoing. In the Anti-Virus Protected Scope section, Check Point defines the option Inspect incoming files from and lists interface choices including External , External and DMZ , and All . The External choice means the gateway inspects incoming files from external interfaces, while files from DMZ and internal interfaces are not inspected.

The default exam answer is therefore External: the baseline Anti-Virus behavior focuses on inbound files arriving from untrusted external interfaces, which is the most common malware-introduction path for perimeter deployments. Option A is too narrow because DMZ alone would ignore Internet-to-user inbound exposure. Option B expands inspection to DMZ traffic, which is valid as a configuration choice but not the default answer. Option D is broader still and increases inspection coverage and resource use, but it is not the default protected-scope setting in this question. Reference topics: Anti-Virus Settings, Protected Scope, interface topology, incoming file inspection, External interface classification.

The correct answer is B. Traffic is matched against all applicable layers at the same time . Threat Prevention policy evaluation is not best described as a flat simultaneous match against all applicable layers. Check Point documentation explains that Threat Prevention Policy Layers are Ordered Layers , and that each ordered layer calculates its action separately from the other layers. In a single-layer policy package, the enforced rule is the first matched rule. In multiple-layer policy behavior, matching and enforcement are determined by the layer calculations and the applicable action logic, rather than by one undifferentiated simultaneous match model.

Option A is true because Threat Prevention inspection is applied after the Access Control policy allows the connection; traffic dropped or rejected by Access Control does not proceed to Threat Prevention enforcement. Option C is true for a single Threat Prevention layer because the first matching rule is enforced. Option D is also true because Threat Prevention uses ordered policy-layer behavior. The false statement is therefore option B. Reference topics: Threat Prevention Policy, Ordered Layers, first-match rule behavior, Access Control before Threat Prevention, multi-layer enforcement logic.

The correct answer is C. user:"John Doe" AND (action:drop OR action:reject OR action:block) . Check Point log-query syntax uses field-based filters in the form field:value , Boolean operators such as AND and OR , and parentheses to group multiple criteria. The official Query Language Overview states that the basic syntax is [Field:] < Filter Criterion > , and that Boolean operators can combine multiple filters. It also shows action filtering examples such as blade:"application control" AND action:block, and explains that multiple Boolean expressions can be grouped in parentheses.

Because the user name contains a space, the value must be enclosed in double quotation marks: user:"John Doe". Without quotes, the query parser treats the words as separate criteria, which makes option B incorrect. Option A uses a hyphenated value, which changes the user name. Option D uses single quotes, while Check Point examples and expected syntax use double quotes for phrase values. The action clause is correctly grouped with OR to match logs where the IPS-related enforcement action is drop, reject, or block. Reference topics: Logs & Monitor query language, field filters, quoted strings, Boolean operators, action filtering, IPS log investigation.