CheckPoint 156-590 Exam Questions

The correct answer is C. Accept. Threat Prevention is applied only to traffic that has already been accepted by the Access Control policy, and then the Threat Prevention rulebase determines which protection profile, blade behavior, and tracking settings apply. When traffic does not match a Threat Prevention rule, no Threat Prevention profile is selected for that connection, so the traffic is not blocked by Threat Prevention simply because of a non-match. Check Point documentation explains that Threat Prevention policy layers calculate their actions according to rule matching, and in a single-layer policy the enforced rule is the first matched rule.

This distinction is critical for certification and real operations. Threat Prevention is not a replacement for the Access Control decision; it is a follow-up inspection layer for already accepted traffic. A non-match in Threat Prevention means the traffic is outside the configured protected scope or rule conditions, so the Threat Prevention engine does not apply a prevent/drop/reject action to it. Reject and Drop are enforcement outcomes for matched malicious or blocked traffic, not for unmatched Threat Prevention traffic. Detect is a logging/enforcement mode for matched protections, not the default result of no rule match. Reference topics: Threat Prevention Policy, ordered layer behavior, protected scope, first-match rule logic, unmatched traffic handling.

The correct answer is B. CPU Utilization. IPS protection selection and activation are based on protection metadata and profile criteria, not a direct CPU-utilization rating. The official Threat Prevention guide states that a Threat Prevention profile activates protections according to factors including performance impact of the protection, severity of the threat, confidence that a protection can correctly identify an attack, and settings specific to the Software Blade.

The same R81.20 guide shows how the Optimized profile uses these criteria: protections are set to Prevent or Detect based on Confidence Level, Performance Impact, and Severity thresholds. CPU utilization is certainly relevant in performance troubleshooting, capacity planning, and operational monitoring, but it is not one of the IPS protection-selection ratings. In practice, CPU usage is an observed runtime metric, while Performance Impact is the predefined protection attribute used by profiles to decide whether a protection should be active, detect-only, or prevented. This distinction matters in certification: IPS tuning is driven by profile attributes, while CPU utilization is reviewed afterward through monitoring tools such as CPView, logs, and performance diagnostics. Reference topics: IPS Protection ratings, Threat Prevention Profiles, Severity, Confidence Level, Performance Impact, activation criteria.

The correct answer is D. Inactive. A protection set to Inactive is not enforced for matching traffic, so it does not impose the same inspection and enforcement cost as active protection states. Check Point documentation explains that a Threat Prevention profile determines which protections are activated and which Software Blades are enabled for a rule or policy. The protections a profile activates depend on factors such as performance impact, threat severity, confidence level, and blade-specific settings. Check Point best-practice material also describes that administrators may tune IPS profiles and set protections to prevent, detect, or inactive.

The relative resource logic is direct: Prevent is usually the most expensive because the gateway must inspect and enforce a blocking action inline. Inspect and Detect still require traffic analysis and matching logic, even if the final result is logging rather than prevention. Inactive removes the protection from enforcement consideration, making it the lowest resource option. This does not mean administrators should disable protections indiscriminately; Inactive should be used only when justified by risk, false-positive analysis, performance tuning, or compensating controls. Reference topics: IPS profile tuning, activation settings, performance impact, Prevent/Detect/Inactive behavior, Threat Prevention optimization.

The correct answer is A. The CPAS Daemon (cpasd). In the course-guide context, cpasd is the process associated with Anti-Virus communication toward Check Point ThreatCloud for protection-update and classification purposes. The functional reason is that Anti-Virus file inspection depends on Check Point's ThreatSpect and ThreatCloud intelligence pipeline. Check Point documentation explains that each Security Gateway has a Malware database and a local cache; when the cache has no answer, it queries the ThreatCloud repository. For Anti-Virus, the signature is sent for file classification.

The ThreatCloud network is dynamically updated and distributes attack information that can convert zero-day attack data into known signatures that Anti-Virus can block. This explains why the communication process matters: AV enforcement is not limited to a static local signature set; it relies on cloud-assisted reputation, classification, and continuously updated intelligence. The distractors do not match this function. RAD is mainly associated with resource categorization and URL/Application intelligence. pslavd is not the ThreatCloud update communication process named in this question. ted belongs to Threat Emulation, not Anti-Virus protection updates. Reference topics: Anti-Virus, CPAS/cpasd, ThreatCloud repository, Malware database, local cache, file classification.

The correct answer is B. QoS Policy exemptions. Threat Prevention exceptions are policy constructs used to alter how Threat Prevention blades, IPS protections, files, sites, or protected-scope objects are handled. Check Point documentation explains that an exception sets a different action for an object in the protected scope than the action specified by the Threat Prevention rule, and that exceptions are generally intended to reduce the level of enforcement rather than increase it. The guide also describes creating exceptions from IPS Protections, logs, events, and exception groups, all within the Threat Prevention policy workflow.

IPS Settings Exceptions, Core Activation Exceptions, and Implied IPS Exceptions are aligned with the IPS/Threat Prevention exception model because they affect how protections are activated, tuned, or safely excluded from enforcement. QoS Policy exemptions do not belong to Threat Prevention exception taxonomy. QoS relates to traffic prioritization, bandwidth control, and quality-of-service enforcement, not malware, IPS, Anti-Bot, Anti-Virus, or blade exception handling. In certification terms, the key separation is policy domain: Threat Prevention exceptions modify security inspection behavior, while QoS exemptions belong to traffic management. Reference topics: Threat Prevention Exceptions, IPS Exceptions, Core Activation Exceptions, Implied IPS Exceptions, exception groups.