156-590 Exam Dumps - Check Point Certified Threat Prevention Specialist (CTPS)

The correct answer is D. "bypass" . A blade exception rule is used when matching traffic should be excluded from inspection by one or more Threat Prevention blades. In this context, bypass is the correct action because it tells the gateway not to apply the selected blade inspection to that traffic. Check Point’s exception documentation describes exceptions as a way to set a different action for an object in the protected scope, usually to reduce enforcement. The same guide shows that exception rules can include a Protection/Site/File/Blade cell, where administrators can select categories including Blades as exception items.

This is distinct from making a protection inactive globally. Inactive disables a protection or blade more broadly and is not the correct per-exception action for excluding selected traffic. Ignore is not the Threat Prevention exception action used in this context. Ask user is a UserCheck-style interaction and is not appropriate for bypassing Threat Prevention blade inspection. Bypass is precise: it preserves the broader policy while excluding only the matching scope from the selected blade or file-processing behavior. The guide also shows bypass behavior in file-type exception configuration, where a file type can be selected and bypassed under profile exception handling. Reference topics: Threat Prevention Exception Rules, Blade exceptions, bypass action, protected scope, file/blade exclusion.

The correct answer is B. Reports can be delivered to users who are not Check Point administrators . SmartEvent Views are primarily interactive dashboards used by administrators and analysts for live investigation, drill-down, filtering, and operational analysis. Reports are designed for packaged distribution: they summarize security activity, policy enforcement, trends, and incident data into a consumable format. Check Point documentation states that views and reports can be exported to PDF or CSV using defined filters and time frames. It also documents scheduled report delivery, including the option to send a scheduled view or report automatically by email.

This delivery model is why reports are better suited for executives, auditors, business owners, and non-administrator stakeholders. They do not need SmartConsole access or Check Point administrator privileges to consume a PDF or scheduled email report. Option A describes Views more accurately because views are live and interactive. Option C is incorrect because reports do not inherently have more raw detail than views; they present selected information in a structured format. Option D is incorrect because both views and reports can be customized. Reference topics: SmartEvent Reports, Views and Reports, report scheduling, PDF/CSV export, email delivery, non-administrator reporting.

The correct answer is C. user:"John Doe" AND (action:drop OR action:reject OR action:block) . Check Point log-query syntax uses field-based filters in the form field:value , Boolean operators such as AND and OR , and parentheses to group multiple criteria. The official Query Language Overview states that the basic syntax is [Field:] < Filter Criterion > , and that Boolean operators can combine multiple filters. It also shows action filtering examples such as blade:"application control" AND action:block, and explains that multiple Boolean expressions can be grouped in parentheses.

Because the user name contains a space, the value must be enclosed in double quotation marks: user:"John Doe". Without quotes, the query parser treats the words as separate criteria, which makes option B incorrect. Option A uses a hyphenated value, which changes the user name. Option D uses single quotes, while Check Point examples and expected syntax use double quotes for phrase values. The action clause is correctly grouped with OR to match logs where the IPS-related enforcement action is drop, reject, or block. Reference topics: Logs & Monitor query language, field filters, quoted strings, Boolean operators, action filtering, IPS log investigation.

The correct answer is D. fwaccel dos rate . When IPS or other Threat Prevention inspection causes significant traffic to leave the fully accelerated SecureXL path and move to F2F, the gateway can experience higher CPU utilization because more packets require Firewall kernel processing. The fwaccel dos rate command belongs to SecureXL DoS and rate-limiting controls. Check Point’s Performance Tuning guide defines fwaccel dos rate and fwaccel6 dos rate as commands that show and install the Rate Limiting policy in SecureXL. It also notes that the feature is enabled by default without rules.

This makes it the correct command for enforcing traffic quotas or rate-limiting policy in the accelerated path. fw dos rate is not the correct Check Point syntax. fwaccel rate omits the DoS rate-limiting command hierarchy. fw ctl dos is also not the documented command for SecureXL rate policy installation. In operational performance tuning, fwaccel DoS rate controls are useful when the gateway must protect CPU resources from excessive connection rates, volumetric pressure, or inspection-heavy flows that can amplify the impact of Threat Prevention processing. Reference topics: SecureXL DoS Mitigation, Rate Limiting Policy, fwaccel dos rate, F2F path, IPS performance impact.

The correct answer is C. MITRE Corporation . CVE, or Common Vulnerabilities and Exposures, is the standardized naming system used across security vendors, vulnerability databases, IPS signatures, advisories, scanners, and remediation programs. In a Check Point Threat Prevention context, CVE identifiers are important because IPS protections frequently map detections and exploit protections to known vulnerabilities. This allows administrators to correlate a Check Point IPS protection with vendor advisories, exposure management, patching, and risk prioritization. The official CVE site describes CVE as an authoritative reference method for publicly known information-security vulnerabilities and exposures. MITRE documentation states that The MITRE Corporation maintains CVE and its public website , manages compatibility, and provides technical guidance to the CVE Editorial Board.

The distractors represent related but distinct roles. DHS/CISA has historically sponsored or funded the program, but sponsorship is not ownership and maintenance of the CVE list itself. NIST maintains the National Vulnerability Database, which enriches CVE data with scoring and analysis, but NVD is downstream from CVE identifiers. Check Point consumes CVE intelligence through IPS and ThreatCloud-driven protections; it does not own the CVE program. Reference topics: IPS vulnerability mapping, CVE-based protection metadata, threat intelligence normalization, vulnerability-to-protection correlation.