What best describes the distinction between network-based application firewalls and traditional packet-filtering firewalls?

The main idea here is the level at which the firewall inspects traffic. Network-based application firewalls operate at the application layer and understand applications and their protocols, so they can examine the actual content and behavior of traffic (for example, HTTP requests or FTP commands) and enforce decisions based on that context. Traditional packet-filtering firewalls, by contrast, work mainly at lower layers and filter traffic based on basic header information like IP addresses and ports, without inspecting the actual application data. This is why the best description says the former understand applications and protocols, while the latter primarily filters by IP addresses and ports. The other options don’t capture this core distinction: logging alone isn’t defining; the application-layer capability is what sets the two apart; and in practice, more capable application-layer firewalls often require more processing power, not less.