A Web Application Firewall (WAF) is a device or module that performs deep packet inspection, analyzing payloads of HTTP transmissions. A WAF should be capable of interdicting Cross-site Scripting (XSS), SQL Injection, and other attacks from the OWASP Top Ten list. WAFs differ from typical firewalls in that the WAF focuses entirely on application layer concerns. A WAF can be deployed to meet the firewall requirements of PCI DSS.
References:
https://www.owasp.org/index.php/Web_Application_Firewall
http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria