Free Checkpoint 156-590 Practice Exam with Questions & Answers

The correct answer is D. F2F . Protections with high inspection impact generally require deeper processing that cannot remain fully accelerated in SecureXL. In Check Point performance terminology, F2F means traffic is forwarded from SecureXL to the Firewall path for inspection. Performance tuning documentation describes F2F packets as packets that SecureXL forwarded to the Firewall in the slow path, while accelerated traffic remains in the fast path. Threat Prevention protections, especially high-impact IPS protections, can require deeper packet, stream, or protocol analysis and therefore increase the portion of traffic processed outside full SecureXL acceleration.

Check Point IPS documentation explains that Performance Impact is the measure of how much a protection affects gateway performance and warns that activated protections with higher performance impact can cause connectivity or performance issues. The IPS optimization guidance further explains that some protections require more system resources to inspect traffic and recommends focusing on lower-impact protections when reducing gateway resource use is necessary. SXL is the fully accelerated path, PXL is medium-path inspection with acceleration assistance, and CPASXL relates to active streaming acceleration. High Protection Impact aligns with F2F because the gateway must perform deeper inspection. Reference topics: IPS Performance Impact, SecureXL packet paths, F2F, PXL/SXL, IPS optimization.

The correct answer is B. Firewall, Identity Awareness, Content Awareness, and IPS . The question asks for features common across the NGFW, NGTP, and SNBT package families. Check Point’s Network Security Software Bundles datasheet shows that Firewall , Identity Awareness , Content Awareness , and IPS are included across NGFW, NGTP, and SNBT. The same table also shows Application Control and several other capabilities, but among the listed answers, option B is the one whose components are common to all three package columns.

The package progression is important. NGFW is the base next-generation firewall bundle and includes core access-control and IPS capability. NGTP includes NGFW capabilities and adds prevention features such as Anti-Virus, Anti-Bot, URL Filtering, and DNS Security. SNBT, or SandBlast, includes NGTP and adds advanced zero-day protections such as Threat Emulation, Threat Extraction, and Zero Phishing. Therefore, answers containing Anti-Virus, Anti-Bot, or Threat Emulation are not “common” to all three packages. Anti-Virus and Anti-Bot are not part of the base NGFW package in the table, and Threat Emulation is specific to SNBT. Reference topics: Check Point Security Gateway Software Bundles, NGFW, NGTP, SNBT, IPS, Identity Awareness, Content Awareness.

The correct answer is C. HTTP/HTTPS . The course-guide answer identifies HTTP/HTTPS as the Anti-Virus protocols enabled by default. Architecturally, this reflects the most common perimeter malware-delivery path: users downloading web content from the Internet. HTTP is naturally visible to the gateway, while HTTPS requires HTTPS Inspection to expose encrypted file transfers and web objects for Anti-Virus inspection. Check Point documentation notes that most traffic is HTTPS rather than HTTP and recommends enabling HTTPS Inspection to maximize the effectiveness of Threat Prevention Software Blades.

The broader Anti-Virus blade can support more protocols than the default enabled set. Check Point documents that HTTP, FTP, SMB, and SMTP are protocols selectable in SmartConsole, and that IMAP and POP3 can also be enabled through configuration. This distinction is the certification point: supported does not necessarily mean enabled by default . FTP, SMB, SMTP, IMAP, and POP3 can extend inspection coverage, but enabling more protocol inspection increases processing scope and must be aligned with topology, performance, and business risk. Reference topics: Anti-Virus Settings, HTTPS Inspection, protocol support, protected scope, Threat Prevention blade effectiveness.

The correct official-guide answer is B. Install the Threat Prevention Policy . IPS protections can be updated manually or by schedule, and Check Point documentation states that IPS can be updated with real-time information on attacks and the latest protections. However, the same official section explicitly notes that to enforce the IPS updates, you must install the Threat Prevention Policy . The documented update procedure also ends with installing the Threat Prevention Policy after selecting the IPS update method.

This distinction is important: downloading or updating the IPS package makes the updated protections available to management and policy logic, but enforcement on Security Gateways depends on policy installation. “Install Database” is not the correct enforcement step for gateway inspection. Installing the Access Control Policy is also incorrect because IPS ThreatCloud protections are part of the Threat Prevention policy framework, not the Access Control rulebase. The statement that changes are immediately active is not the current official behavior for enforcing IPS updates on gateways. In production operations, scheduled IPS updates may be paired with automatic Threat Prevention policy installation, but that still confirms the requirement: the policy must be installed for enforcement. Reference topics: Updating IPS Protections, Threat Prevention Policy installation, IPS update enforcement, scheduled updates.

The correct answer is B. Traffic is matched against all applicable layers at the same time . Threat Prevention policy evaluation is not best described as a flat simultaneous match against all applicable layers. Check Point documentation explains that Threat Prevention Policy Layers are Ordered Layers , and that each ordered layer calculates its action separately from the other layers. In a single-layer policy package, the enforced rule is the first matched rule. In multiple-layer policy behavior, matching and enforcement are determined by the layer calculations and the applicable action logic, rather than by one undifferentiated simultaneous match model.

Option A is true because Threat Prevention inspection is applied after the Access Control policy allows the connection; traffic dropped or rejected by Access Control does not proceed to Threat Prevention enforcement. Option C is true for a single Threat Prevention layer because the first matching rule is enforced. Option D is also true because Threat Prevention uses ordered policy-layer behavior. The false statement is therefore option B. Reference topics: Threat Prevention Policy, Ordered Layers, first-match rule behavior, Access Control before Threat Prevention, multi-layer enforcement logic.

The correct answer is D. Communicate forensics data collected to Government Agencies . The Forensics tracking option exists to enrich Threat Prevention logs with deeper technical context for analysis and troubleshooting. Check Point documentation states that the Forensics option adds fields to Threat Prevention logs and that the additional information gives a deeper understanding of an attack. The Monitoring Threat Prevention guidance also explains that Advanced Forensics Details can include protocol-specific details for DNS, FTP, SMTP, HTTP, and HTTPS, and that this information is used by Check Point researchers to analyze attacks.

The purpose is security analysis, incident investigation, and support-quality evidence collection, not government reporting. Options A and B accurately describe the function of Forensics tracking. Option C reflects the broader idea that forensic and diagnostic details may include gateway-related technical data for Check Point analysis, depending on configuration and feature behavior. Option D is the false statement because Check Point Threat Prevention Forensics is not defined as a mechanism for transmitting collected forensic data to government agencies. In production, enabling Forensics should be treated as a deliberate logging and privacy decision because it may add protocol and transaction context to logs. Reference topics: Threat Prevention Track Options, Forensics tracking, Advanced Forensics Details, Logs & Monitor, attack analysis.

The correct answer is C. CIFS . Check Point Anti-Virus scans file-transfer and content-bearing protocols, not arbitrary management or terminal protocols. The official Anti-Virus settings documentation lists the protocols Anti-Virus can scan as Web HTTP/HTTPS , FTP , SMB , and Mail SMTP or POP3 , with additional support for IMAP and POP3.

CIFS is closely associated with Microsoft file sharing and the SMB protocol family. In the exam context, CIFS maps to the file-sharing traffic class that Anti-Virus can inspect through SMB scanning. This is why CIFS is the correct option. Remote Desktop is an interactive remote-control protocol, not a file-inspection protocol for Anti-Virus scanning in this question. SNMP is a monitoring and management protocol and does not normally carry files for malware inspection. Telnet is an interactive terminal protocol and is not an Anti-Virus file-scanning protocol. The certification distinction is that Anti-Virus inspection focuses on files and content objects crossing supported protocols, especially web downloads, FTP transfers, SMB/CIFS file access, and mail attachments. Reference topics: Anti-Virus Settings, protocol scanning, SMB/CIFS inspection, file-transfer inspection, Threat Prevention protected scope.

The correct answer is B. The executive reports generally contain abstract information without much technical detail. You have to use Smart Event Threat Prevention Report filtered for last week data . For executive communication, the correct SmartEvent mechanism is a report rather than a raw log export or interactive operational view. Check Point documentation explains that views and reports can be exported to PDF or CSV using defined filters and time frames, and that reports summarize network activity and Security Policy enforcement generated by Check Point products such as SmartEvent.

A CEO-level security-incident briefing should emphasize risk, timeline, impact, affected assets, attack category, prevention outcome, and recommended remediation, without requiring the recipient to interpret raw logs or technical blade details. A Threat Prevention Report filtered for last week provides the appropriate time-bounded summary. Option A is overly manual and uses a view plus CSV/PDF conversion rather than the report mechanism. Option C incorrectly shifts the workflow to SmartLog filtering and an external report generator. Option D uses a view, which is better suited for live or interactive operational analysis by administrators, not executive distribution. Reference topics: SmartEvent Reports, Threat Prevention Report, report time filters, executive reporting, exporting reports.

The correct answer is D. Background because it inspects a large subset of traffic . Anti-Virus is a pre-infection Threat Prevention blade that can inspect broad user traffic categories, including web and file-transfer flows. Because the inspection scope can be large, the selected enforcement behavior directly affects latency, user experience, and gateway resource consumption. Check Point documentation identifies Anti-Virus as a blade that scans protocols such as HTTP/HTTPS, FTP, SMB, and mail-related traffic depending on configuration, with additional protocol support documented for IMAP and POP3.

The Background setting is recommended in this context because it avoids unnecessarily holding a large volume of traffic while inspection continues. Hold mode is stricter because it delays delivery until inspection completes or a timeout condition is reached, but that strictness can introduce user-facing delay when applied broadly. Option A is incorrect because Anti-Virus is not post-infection; it prevents malware before user impact. Options B and C are incorrect because they associate Hold mode with a limited inspection scope, while Anti-Virus commonly applies to a large and performance-sensitive traffic set. Reference topics: Anti-Virus Settings, protocol inspection scope, Background versus Hold behavior, performance impact, pre-infection prevention.

The correct answer is D. Basic, Optimized, Strict . Check Point supplies out-of-the-box Threat Prevention profiles to give administrators predefined security/performance baselines. The official Threat Prevention Profiles section states that administrators can clone a selected profile but cannot change the out-of-the-box profiles: Basic, Optimized, and Strict .

These profiles represent different operating postures. Basic is designed for reliable protection with lower performance impact. Optimized is the default-style balanced approach, providing strong protection for common products and protocols while preserving gateway performance. Strict provides wider coverage and more aggressive protection selection, but can increase inspection cost and may require closer tuning. The other answer choices describe architectural traffic directions or deployment zones, not the official preconfigured profile names. “Perimeter,” “Datacenter,” and “East-West” are useful design concepts, especially in modern segmentation and Autonomous Threat Prevention discussions, but they are not the three preconfigured Custom Threat Prevention profiles in this question. From a certification perspective, the distinction matters because profiles are selected as the Action in Threat Prevention rules and determine which protections and blades are active. Reference topics: Threat Prevention Profiles, out-of-the-box profiles, Basic profile, Optimized profile, Strict profile, profile cloning.