A web application firewall (WAF) is a more sophisticated version of a reverse proxy. In truth, I haven’t seen really good WAF implementations built into next-gen firewalls, but there’s no reason it couldn’t be done.
A WAF enforces good HTTP and HTTPS behaviour. It’s usually implemented to decrypt the HTTPS packets and forward them to the web server as standard HTTP traffic. The WAF holds the SSL certificates for the web server. In this way, the WAF is able to fully inspect the contents of every packet.
A WAF typically look for things like attempted buffer overflow attacks on input fields, SQL injection attacks, cross-site scripting, and so forth. It also tries to detect any attempts to exploit known vulnerabilities in web server software.