In firewall there are two types existing , one is normal firewall which enforces access control rules for inbound and outbound traffic and it works only on network layer.
Whereas there is also a Next gen firewall which comprises of IPS/IDS modules as well as access control feature.
IPS inspects the live network packets in inline mode and compare it with its signature database/malicious file hash(this database updates the malicious signatures/file hashes daily from the providers portal). If it matches any malicious signatures, it will block that traffic and generate an event.
I will usually take a copy of the network packet and do the analysis, incase of any signature match it will trigger an Event. It will not block the traffic.