Web Application Firewalls (WAFs) and network firewalls serve a similar purpose: blocking traffic when it violates certain security conditions. The difference between a WAF and a network firewall is they operate at different layers of computer networking and so use different criteria for blocking traffic.
As the term "network firewall" can be ambiguous, we'll use the more specific term "IP packet filter" which is usually the type of firewall implied when the term "network firewall" is used.
A Web Application Firewall (WAF) inspects the actual content of an HTTP request to determine if the request is malicious. By looking at the content of the request, a WAF can consider factors such as the request method (GET, POST, PUT, etc.), the exact URL path being requested, the headers of the request such as the User-Agent, and the query string or request body, if present.
In many cases, exploiting certain types of vulnerabilities requires attackers to include unusual content in their malicious requests. A WAF includes rules that identify this unusual content. For example, a SQL injection attack will often include SQL keywords (database commands) in the URL, headers, query string, or POST body of a request.
In order for a WAF to work, the WAF must be able to inspect the unencrypted content of a request. A request that is encrypted with SSL/TLS can't be processed by a WAF. As a result, WAFs are used either within web servers (after the web server removes the encryption) or within the web application a web server internally hands the request over to.
An IP packet filter looks at a lower layer of computer networking data than a WAF. High-level protocols such as HTTP are built on top of low-level protocols such as TCP/IP and UDP/IP. These low-level protocols divide all communication up into small, individual packets which are transmitted over computer networks such as the Internet. Each of these individual packets includes routing information such as the source and destination IP addresses and source and destination ports. This routing data enables each packet to be delivered from the computer that sent the packet (the source) to the computer that is intended to receive the packet (the destination).
An IP address is a number assigned to every computer on a network. IP stands for Internet Protocol, which is the fundamental protocol that enables sending packets of data over the Internet from one computer to another. Similar to a mailing address, an IP address is used to determine where each packet should be delivered to.
A port number is also included in each packet's routing information. The destination port identifies which specific service will be the final destination for the data contained in the packet. You can think of a port number like an apartment number or post office box number. Many ports are standardized. Port 80 is for HTTP. Port 443 is for HTTPS. Port 22 is for SSH.
An IP packet filter can be configured, for example, to block packets to port 22 (SSH) unless those packets originated from a specific set of IP addresses. Businesses often use such rules to restrict access to private services so those services can only be accessed from computers in the company's office network or from within the same virtual network where a server is running.