Next-Generation Firewalls (NGFWs) are distinguished from traditional stateful firewalls by their ability to operate at the application layer (Layer 7) of the OSI model. The unique capability listed is deep packet inspection (DPI), which allows the NGFW to analyze the actual content of data packets. This enables the identification of specific applications, such as Skype or BitTorrent, regardless of the port or protocol being used. Stateful firewalls, in contrast, primarily make decisions based on Layer 3 (IP addresses) and Layer 4 (ports and connection state), lacking this application-level visibility and control.

A. Maintaining connection states for active sessions.

This is the defining feature of a stateful firewall, not a unique capability of an NGFW. NGFWs incorporate this functionality but build upon it.

B. Performing NAT (Network Address Translation) to enable private IP communication.

NAT is a standard function available in most network firewalls for many years, including basic stateful inspection firewalls.

D. Packet filtering based on source and destination IPs and ports.

This is a fundamental capability of all firewalls, from basic packet filters to stateful firewalls and NGFWs. It is not a unique differentiator.

1. Palo Alto Networks. (n.d.). What Is a Next-Generation Firewall (NGFW)? Palo Alto Networks Technology Resources. Retrieved from official vendor documentation. In the section "How Does a Next-Generation Firewall Work?", it states: "Whereas traditional firewalls only identify traffic by port and protocol, an NGFW uses multiple inspection techniques, including deep packet inspection, to identify the applications creating the traffic." This directly supports the concept of application identification regardless of port.

2. Al-Ani, A. K., & Al-Badran, S. T. (2021). A Comparative Study of Firewall Technologies. Journal of Physics: Conference Series, 1804(1), 012099. https://doi.org/10.1088/1742-6596/1804/1/012099. In Section 3.3, "Next-Generation Firewall (NGFW)", the paper states: "The NGFW can identify applications regardless of the port, protocol, or encryption used... This is achieved through a process called deep packet inspection (DPI), which examines the payload of packets to identify the application that generated them."

3. Rochester Institute of Technology. (n.d.). CSEC-472: Network Security and Forensics - Firewalls. Courseware. In the lecture slides on Firewalls, under the "Next-Generation Firewalls (NGFW)" section, a key feature listed is "Application awareness and control," which "Identifies and controls applications, regardless of port, protocol, or evasive tactic." This contrasts with stateful firewalls, which are described as operating at Layers 3 and 4.