IMHO the primary value for WAFs is for quickly blocking known vulnerabilities with specific rules to mitigate vulnerabilities while they are being properly patched. Ideally the WAF knows what software is behind it (example WordPress, Java app, ...) and can apply filters that may be relevant.

Anything else is just a fuzzy bug injector that will only stop the simplest scanners and script kiddies if you are lucky.