What type of firewall filters traffic based on the state of existing connections?

A stateful inspection firewall is designed to monitor and manage the state of active connections. It maintains a state table that keeps track of the attributes of ongoing sessions, including the source and destination IP addresses, port numbers, and the current status of the connection. This allows the stateful inspection firewall to make informed decisions about which packets are allowed to pass through based on the established connections.

For instance, if a packet arrives that is part of a connection already established, the firewall can permit it, whereas if a packet does not match an existing connection, it may be dropped or denied. This capability provides a higher level of security compared to simple packet filtering firewalls that only look at the packet header information without context about the connection state.

In contrast, other options like proxy firewalls and web application firewalls (WAF) serve different roles. A proxy firewall acts as an intermediary between users and the services they wish to access, typically providing content filtering, while a WAF specifically protects web applications by monitoring and controlling HTTP/HTTPS traffic. Shallow inspection firewalls would refer to firewalls that do not maintain detailed state information and hence do not filter based on connection states, which is why they are not the correct answer.