Which feature can only be inspected by a stateful firewall?

A stateful firewall is specifically designed to track the state of active connections and determine whether a packet is part of an existing, established session. This capability allows the firewall to make more informed decisions about whether to allow or deny traffic based on the context of the connection rather than just the individual packets being transmitted.

While packet filtering examines packets in isolation, stateful firewalls go beyond that by maintaining a state table that records all active connections. This enables the firewall to confirm if an incoming packet corresponds to an already established session; if it does, the packet can be accepted without further inspection. This stateful tracking is what distinguishes them from stateless firewalls, which lack this capability.

Deep packet inspection and identifying malicious payloads are functionalities that can be associated with both stateful and stateless firewalls, but the unique ability to confirm whether a packet is part of an active session is solely the domain of stateful firewalls.