Web application firewalls (WAFs) try to protect web applications from attacks through a number of methods. They can be deployed in a “canned” state where the system uses defaults to detect and mitigate potential attacks. Many of the systems that I’ve tested in my career doing web application penetration testing were deployed in this manner. The real benefit (and problem with) WAFs comes from customizing the system to your application. While this can be a time-consuming process, you will be increasing the effectiveness of the WAF and decreasing the false positive events that are flagged.
Of course there are almost always ways around WAFs and here is a pretty good set of slides describing some of the methods: http://www.slideshare.net/d0znpp/lie-tomephd2013