Yeah, I find myself kinda annoyed at the term WAF, as it overloads the term "firewall". But your description is quite accurate. Whether you're doing your filtering with an expensive F5 Big-IP with its nifty glowy logo on the front bezel, an haproxy instance from some WAF-as-a-service vendor, or Nginx and some plugins running on a VM, any of those, done right, can serve in a WAF role.
I say that now, but I wish I understood that a few years ago, when faced with the WAF line item on an a WAF, promptly went "WTF is a WAF? googles No, we have a WAF." Could have saved myself some security audit pain.
On the flip side, I did manage to get some upgrade budget out of failing that battery of line items.
It seems to me the basic definition of a firewall is:
"A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules."
"usually firewall \ ˈfī(- ə)r- ˌwȯl
\ : computer hardware or software that prevents unauthorized access to private data (as on a company's local area network or intranet) by outside computer users (as of the Internet)"
This and other "web application firewalls" seem to meet these kinds of definitions. Add to the fact more and more "traditional" firewall appliances are adding behavioral filtering and have had application tracking for decades and we're far from firewall being limited to only a layer 3 device.
