Network communication is divided into layers, like a cake. The bottom of the cake is very simple, the top of the cake is very complex.

In our example, the bottom of the cake is the electrical signal on the wire and most firewalls you’re familiar with operate at the 3rd and 4th layers (IP and TCP).

A WAF, or Web Application Firewall, operates way up at the top layer, layer 7. It’s much more complex, but also much more powerful as a result.

As for your last question, yes, most WAF products are also reverse proxies.

I would imagine it works a bit like what I do for a living. I work in email security. Regardless if you purchased encryption or spam filtering from us, your email routes go through our servers. If your incoming mail is being filtered, you change your MX records to point to us. If your outbound mail is run through us, your email server is set to route through our servers. I would imagine WAF would be about the same. Point your DNS to the WAF server and everything going out is pointed to it as well.