The fact, that checkpoint recognized the host as infected doesn´t mean, the infection came via the firewall. For example some kind of bad USB sticks. Or email attachements or what ever...
Anti Bot recognizes the communication to command and control servers and following to this states the host as infected.
Spreading might () be possible to be prevented i.e. by functioning IPS
DNS Trap does answer DNS request for known malicious domains with fake IPs. More informations:
Anti-Virus Malware DNS Trap feature
Even though your firewall recognizes your host as infected, does NOT mean, that it will heal the host. There is still something bad going on on the client...