A web application firewall (WAF) is an application layer or an OSI layer 7. This does not focus on the source and destination network addresses but rather what is in the HTTP(s) requests and possibly responses. A WAF contains a list of rules for the requests that can be sent to web applications. Some WAFs also monitor responses from the application.
WAFs can greatly increase the security of a web application. A WAF can help block malicious requests that could cause issues with the web application. When properly configured, they can mitigate some types of vulnerabilities in web applications.
They expect WAFs to be used for all externally facing web services or applications. It is also expected that WAF be configured with rules specific to the web application, not just the default rules.