The correct answer is A. Automatically activates new protections based on profile . IPS protections are governed by Threat Prevention profiles, and those profiles determine which protections are activated for a rule or policy. Check Point documentation states that a Threat Prevention profile determines which protections are activated and which Software Blades are enabled for the specified rule or policy. For newly downloaded IPS protections, Check Point documents that automatic IPS update behavior can use the profile settings as the default action for those newly downloaded protections.

This is the core logic behind the answer: IPS Follow Protections aligns newly available protections with the active profile’s protection-selection logic instead of requiring the administrator to manually evaluate and activate every update. The profile already contains the criteria for activation, including threat severity, confidence, and performance considerations. Option B describes a different review-oriented workflow, commonly associated with marking protections for follow-up or staging. Option C is incorrect because reporting is a SmartEvent or logging function, not the purpose of Follow Protections. Option D is also incorrect because highlighting log entries does not activate enforcement. Reference topics: IPS profile settings, newly updated IPS protections, automatic update behavior, activation according to profile settings, IPS protection lifecycle.

The correct current official-guide answer is A. Every two hours . Starting from R80.20, Check Point changed IPS update behavior so that gateways can directly download Threat Prevention updates instead of relying only on the Security Management Server and policy installation workflow. The official R80.20 SmartConsole Help states that, starting from R80.20, gateways can directly download updates, while gateways without Internet connectivity still require policy installation to enforce updates. The same official section states that IPS, Anti-Virus and Anti-Bot updates are performed every two hours by default .

This is the key distinction for R80.20 and later. Earlier operational models were more management-server centered, but R80.20+ supports gateway-side automatic update behavior. Every 24 hours is not the current documented default for IPS, Anti-Virus, and Anti-Bot updates in this R80.20+ context. Threat Emulation engine and image updates have separate daily default schedules, which can create confusion if update types are mixed together. Option C and D are also incorrect because the official default is neither hourly nor every four hours. Reference topics: Threat Prevention Scheduled Updates, R80.20 gateway direct updates, IPS update frequency, Anti-Virus and Anti-Bot updates, policy installation for offline gateways.

The correct answer is D. Ordered . Threat Prevention policy uses ordered policy layers. Check Point documentation states that you can create a Threat Prevention Rule Base with multiple Ordered Layers , and that Ordered Layers help organize the Rule Base according to organizational needs, such as services or networks. Each Policy Layer calculates its action separately from other layers, and when there is one layer in the policy package, the first matched rule is enforced.

This is a core certification distinction. Access Control can use ordered and inline layers, but Threat Prevention is treated as an ordered layer policy model. The policy evaluates rules in order and applies the appropriate Threat Prevention profile, blades, protection behavior, and tracking according to rule matching. Option C describes when Threat Prevention is applied in the traffic flow—after Access Control accepts the connection—but it does not answer the question about the layer type. Option A is incorrect because Threat Prevention is not both ordered and inline in this context. Option B is incorrect because inline layers are not the Threat Prevention layer type being tested here. Reference topics: Threat Prevention Policy Layers, Ordered Layers, first-match behavior, policy-layer calculation, Threat Prevention Rule Base.

The correct answer is B. Removes all Administrator overrides . Profile Cleanup is a Threat Prevention profile hygiene tool used mainly in IPS protection management. When administrators manually override protections during tuning, exception handling, false-positive analysis, emergency hardening, or staged deployment, those manual changes can accumulate and cause the profile to deviate from its intended design. Check Point’s IPS Protections documentation states that the Profile Cleanup window lets the administrator select actions such as Remove all user modified and Clear all staging , then install the Threat Prevention Policy.

This directly maps to removing administrator overrides. The option does not automatically set all protections to Detect only; Detect is an action used in specific protection or staging contexts, not the purpose of Profile Cleanup. It also does not delete exemptions, because exception rules are separate policy constructs. It does not repair or remove corrupt updates; IPS update package handling is managed through the update and revert workflow. Profile Cleanup is best understood as a reset mechanism: it clears manual activation or staging deviations so the profile can return to its baseline activation policy and blade settings. Reference topics: IPS Protections, Profile Cleanup, Remove all user modified, Clear all staging, Threat Prevention Policy installation.

The correct answer is B. Forensics . In Threat Prevention policy tracking, Forensics is the tracking option intended to enrich Threat Prevention logs with additional investigation data. Check Point documentation states that the Forensics option adds fields to the Threat Prevention logs , and that this extra information provides a deeper understanding of an attack. The Monitoring Threat Prevention section further explains that Advanced Forensics Details can appear in logs for supported protocols such as DNS, FTP, SMTP, HTTP, and HTTPS, and that this additional information is used by Check Point researchers to analyze attacks.

This is why Forensics is the correct TAC-oriented tracking choice. Alert is a notification-style tracking action, not a deep forensic enrichment mechanism. SNMP sends a management notification, and User Defined invokes administrator-defined alert handling rather than supplying advanced attack-analysis fields. In operational troubleshooting, Forensics is valuable because it preserves richer evidence around the inspected connection, affected blade, protocol behavior, and detection context. Reference topics: Threat Prevention Policy Track Options, Advanced Forensics Details, Logs & Monitor, TAC escalation analysis.

The correct answer is D. Individual Protections . Core Activation Exceptions are used to override activation behavior at the protection level, not at a broad ThreatCloud, inspection-engine, or protection-group abstraction. The official IPS profile settings documentation explains that the Additional Activation section gives administrators granular control to select IPS protections to activate or deactivate. It states that activated protections are enforced by gateways, while deactivated protections are not enforced, regardless of the general profile protection settings.

Check Point’s IPS Protections documentation reinforces this object-level model: each profile is a set of activated protections plus instructions for what IPS does if traffic matches an activated protection, and administrators can change the action for a specified protection. Therefore, a Core Activation Exception is not a general tuning category and does not apply to the entire ThreatCloud or to engine-wide inspection settings. It is used when a specific protection requires a different activation state than the profile would normally produce. This is common during false-positive handling, staged rollout, exception tuning, or targeted hardening for a specific vulnerability. Reference topics: IPS Protections, Additional Activation, activation overrides, individual protection enforcement, profile-based IPS tuning.

The correct answer is B. Traffic is matched against all applicable layers at the same time . Threat Prevention policy evaluation is not best described as a flat simultaneous match against all applicable layers. Check Point documentation explains that Threat Prevention Policy Layers are Ordered Layers , and that each ordered layer calculates its action separately from the other layers. In a single-layer policy package, the enforced rule is the first matched rule. In multiple-layer policy behavior, matching and enforcement are determined by the layer calculations and the applicable action logic, rather than by one undifferentiated simultaneous match model.

Option A is true because Threat Prevention inspection is applied after the Access Control policy allows the connection; traffic dropped or rejected by Access Control does not proceed to Threat Prevention enforcement. Option C is true for a single Threat Prevention layer because the first matching rule is enforced. Option D is also true because Threat Prevention uses ordered policy-layer behavior. The false statement is therefore option B. Reference topics: Threat Prevention Policy, Ordered Layers, first-match rule behavior, Access Control before Threat Prevention, multi-layer enforcement logic.

The correct answer is D. The traffic is not dropped. It is simply not inspected by the Threat Prevention Engine . Access Control and Threat Prevention are separate enforcement stages. The Access Control policy first decides whether the connection is allowed, rejected, or dropped. If Access Control accepts the connection, Threat Prevention is then applied only if the connection matches a Threat Prevention rule and therefore receives a Threat Prevention profile. Check Point documentation describes Threat Prevention policy as the mechanism used to activate only the protections needed and prevent attacks that most threaten the network. It also explains that Threat Prevention policy layers calculate their action separately and that in a single layer, the first matched rule is enforced.

Therefore, if accepted traffic does not match the Threat Prevention rulebase, no Threat Prevention profile is selected for that connection. The traffic is not blocked merely because of the non-match; it passes according to the Access Control decision, but without Threat Prevention inspection. Option A is too aggressive and incorrect. Option B incorrectly assumes logging. Option C is directionally true but incomplete because the key point is that Threat Prevention inspection is not applied. Reference topics: Access Control before Threat Prevention, Threat Prevention Rule Base, profile selection, unmatched traffic, ordered layer evaluation.

The correct answer is B. You have to re-install the Threat Prevention policy . Threat Prevention exceptions are policy constructs, so they must be compiled and installed to the relevant Security Gateways before they affect enforcement. Check Point documentation for creating IPS exceptions shows the workflow: create or configure the exception rule, click OK, and then Install Policy . The Custom Threat Prevention guide also explains that Threat Prevention blades have a dedicated Threat Prevention policy and that this policy can be installed separately from Access Control. It explicitly recommends installing only the Threat Prevention policy to minimize performance impact on Security Gateways.

This is why Install Database is not sufficient. Install Database updates management-side objects and databases, but it does not enforce a new Threat Prevention exception on gateways. Installing Access Control policy is also the wrong policy domain because Anti-Virus, Anti-Bot, IPS, Threat Emulation, and Threat Extraction exceptions belong to Threat Prevention. The change is not immediately active because Security Gateways enforce compiled policy, not unpublished or uninstalled SmartConsole changes. Reference topics: Threat Prevention Exceptions, IPS Exceptions, policy installation targets, dedicated Threat Prevention policy, exception enforcement lifecycle.

The correct answer is D. SmartView . Threat Prevention exceptions are created and managed in SmartConsole policy and log workflows, not from SmartView as the tested location. Check Point documentation states that an exception can be added directly to a rule, and the procedure begins by selecting the rule in the Policy pane and clicking Add Exception . It also documents creating exceptions from IPS Protections and from logs or events in the Logs & Monitor view, where the administrator right-clicks a log and selects Add Exception .

This validates Policy Rule, Log Overview, and Log Details-style workflows as valid exception creation contexts. SmartView, by contrast, is primarily used for browser-based log viewing, reporting, dashboards, and event analysis. It is not the SmartConsole policy-editing context where Threat Prevention exception rules are inserted into the policy package and then installed. The operational reason is enforcement integrity: exceptions modify the compiled Threat Prevention policy, so they must be created in a policy-aware workflow where protected scope, protection/site/file/blade, action, track, install targets, and policy installation are controlled. Reference topics: Exception Rules, Adding Exception to Rule, Creating Exceptions from Logs or Events, IPS Protections exceptions, Threat Prevention Policy installation.