Deep Packet Inspection (DPI) performed at a firewall allows examining the data part (and possibly also the header) of an IP packet that passes through the firewall, searching for protocol non-compliance, viruses, spam, intrusions, or defined criteria to decide whether the IP packet may pass or if it needs to be routed to a different destination, or, for the purpose of collecting statistical information.
There are multiple ways to acquire packets for deep packet inspection. Using port mirroring (sometimes called Span Port) is a very common way, as well as optical splitter. Deep Packet Inspection (and filtering) enables advanced network management, user service, and security functions as well as internet data mining, eavesdropping, and internet censorship.
However, as there is a lot of information to be inspected, including users, data sessions, protocols, source IP address, and destination IP address, an administrator may easily overlook some of the information and correlation among the information. Therefore an easy-to-use user interface is important. Furthermore, a firewall cannot inspect IP packets that are transmitted and received through a VPN connection if the firewall does not have the security information to decrypt the VPN connection. Therefore when an IP packet is encapsulated in one or more encapsulating packets, a firewall has to decapsulate the IP packet from the corresponding encapsulating packet(s) before inspecting the IP packet.