Recently, we purchased a Barracuda Web Application Firewall (WAF) 460 to parse user input for a couple of our critical web-applications. Namely, those that need to touch our Credit Card environment. Now just for clarification purposes, I am NOT a web application administer in the least bit. Yes, I can write scripts in PHP with MySQL in the back-end. Nonetheless, I was tasked with setting up this appliance.
So I get the device, push a trunk to my desktop switch, and start digging into the device. Basically, out-of-the-box the WAF will work and will stop users from issuing SQL Injections, Cross Site Scripting (XSS), Data Mining (CC / SSN Numbers), Cookie Poisoning, etc. Yet, this may not be what is needed in your environment.