Application proxies monitor commands sent at the application layer, and
reconstruct packets so that IP attacks can't be sent beyond the firewall.
(From what I understand), State-based (a.k.a. enhanced extended packet
filter) security devices inspect the first packet that comes across with
enhanced extended filtering rules and can include additional authentication.
If that packet passes all filtering rules, remaining packets of that session
are passed through without inspection.
I would like to add that Firewall-1 can be set to continue monitoring all the packets of an established session and will check them against the rule base.