Application layer firewalls function in one of two modes: passive or active. Active application firewalls actively inspect all incoming requests -- including the actual message being exchanged -- against known vulnerabilities such as SQL injection, parameter and cookie tampering, and cross-site scripting. Only requests that are deemed "clean" are passed to the application. Passive application layer firewalls act in a manner similar to an IDS (Intrusion Detection System) in that they also inspect all incoming requests against known vulnerabilities, but they do not actively reject or deny those requests if a potential attack is discovered.
Application layer firewalls improve the overall security of the application infrastructure by preventing attacks that are likely to cause a service outage or cause structural damage to data sources. Application layer firewalls are generally remotely updateable, which allows them to prevent newly discovered vulnerabilities. These firewalls are often more up to date than specific security-focused code included in applications, due to the longer development and testing cycles required to include such code within applications.