CheckPoint 156-590 Exam Dumps

The correct answer is B. You have to re-install the Threat Prevention policy. Threat Prevention exceptions are policy constructs, so they must be compiled and installed to the relevant Security Gateways before they affect enforcement. Check Point documentation for creating IPS exceptions shows the workflow: create or configure the exception rule, click OK, and then Install Policy. The Custom Threat Prevention guide also explains that Threat Prevention blades have a dedicated Threat Prevention policy and that this policy can be installed separately from Access Control. It explicitly recommends installing only the Threat Prevention policy to minimize performance impact on Security Gateways.

This is why Install Database is not sufficient. Install Database updates management-side objects and databases, but it does not enforce a new Threat Prevention exception on gateways. Installing Access Control policy is also the wrong policy domain because Anti-Virus, Anti-Bot, IPS, Threat Emulation, and Threat Extraction exceptions belong to Threat Prevention. The change is not immediately active because Security Gateways enforce compiled policy, not unpublished or uninstalled SmartConsole changes. Reference topics: Threat Prevention Exceptions, IPS Exceptions, policy installation targets, dedicated Threat Prevention policy, exception enforcement lifecycle.

The correct answer is D. The rule is contained on a single line. There are two logical sections: Rule Header and Rule Options. SNORT signatures are supported in Check Point Threat Prevention as custom IPS-style protections, and their structure follows the standard SNORT rule model. Official Snort documentation states that the rule header includes the text before the first parenthesis, while the body contains the rule options between parentheses. It also shows a complete rule with header and option definitions. The classic Snort rule reference describes the two logical sections as the rule header and rule options.

In the exam wording, the expected construction is a single-line rule composed of these two logical sections. The header defines the coarse traffic selector and action, such as alert/drop, protocol, source, destination, ports, and direction. The options define the detailed detection logic, such as message, content match, flow, metadata, and signature identifier. ''Payload'' is not the correct formal name for the second logical section, which eliminates options A and C. Option B uses the correct logical sections but incorrectly states that the rule is contained on two lines. Reference topics: SNORT Signature Support, custom IPS protections, Rule Header, Rule Options, signature syntax.

The correct answer is D. Newly created domains. DGA means Domain Generation Algorithm, a technique used by malware to algorithmically create large numbers of domain names for command-and-control communication. Instead of hardcoding one static C2 domain, a bot can generate many possible domains over time, making takedown and static blocking much harder. Check Point's Network Security Software Bundles datasheet states that Check Point AI Deep Learning blocks the latest DNS attacks, including Tunneling and Domain Generation Algorithm/DGA, and specifically blocks connections to the newest generation of malicious domains created via DGA.

This explains why the correct exam option is ''newly created domains.'' Known malicious IP blocking is a reputation and IP intelligence function, but it is not the specific purpose of DGA protection. Infected URLs and infected files are handled by URL reputation, Anti-Virus, Threat Emulation, and related Threat Prevention functions. DGA protection focuses on DNS-layer behavior and suspicious or algorithmically generated domain use, especially when malware attempts to contact rotating or recently generated domains for C2, payload retrieval, or data exfiltration. In operational terms, DGA protection is part of Anti-Bot and Advanced DNS defense, helping detect compromised hosts even when the malware infrastructure changes rapidly. Reference topics: ThreatCloud, DGA Protection, Advanced DNS, Anti-Bot, DNS C2 prevention.

The correct answer is C. Install the Threat Prevention Policy. IPS Core Protections are part of the Threat Prevention policy domain, so changing them in SmartConsole is not enough by itself. The updated configuration must be compiled and installed to the relevant Security Gateways through the Threat Prevention Policy installation process. Check Point's IPS Protections documentation shows the workflow for editing core protections: go to Security Policies > Threat Prevention > Custom Policy Tools > IPS Protections, filter for Type Core, edit the required core protection settings, and then Install the Threat Prevention policy.

This directly eliminates the other options. The setting is not immediately active because gateways enforce installed policy, not merely edited management configuration. Install Database updates the management database but does not push enforcement logic to the Security Gateway. Install Access Control Policy applies firewall/access-layer logic, but IPS Core Protections belong to the Threat Prevention policy. In operational terms, this separation allows administrators to install Threat Prevention changes without necessarily reinstalling Access Control, reducing disruption and keeping blade changes scoped to the correct policy package. Reference topics: IPS Protections, Core IPS Protections, Custom Policy Tools, Threat Prevention Policy installation, enforcement lifecycle.

The correct answer is D. 2 million. In R81.20, Check Point expanded the supported scale for custom threat intelligence observables. The R81.20 Threat Prevention Administration Guide states that, starting from R81.20, the Security Gateway supports at least 2 million patterns/observables for URL, Domain, IP address, and Hash observable types. It also notes that the maximum number is limited by available memory and disk space on the Security Gateway, and that the gateway checks whether 50% of total memory is free before loading more patterns or observables.

This capability applies to Custom Intelligence Feeds, which let administrators fetch feeds from third-party servers directly to the Security Gateway for enforcement by Anti-Virus, Anti-Bot, and IPS blades. The feature reduces operational overhead by allowing external indicators to be managed and monitored through the Threat Prevention enforcement path. The incorrect options either understate or overstate the documented baseline. ''Unlimited'' is also incorrect because Check Point explicitly ties the upper boundary to memory and disk capacity. Reference topics: Custom Threat Indicators, External IoC Feeds, Custom Intelligence Feeds, observable scale, R81.20 Threat Prevention, URL/domain/IP/hash indicators.