A web application firewall does not route traffic on the network layer. All traffic stops at the firewall which may initiate its own connections if the traffic satisfies the rules.
SaaS (Software as a Service) is generally associated by software professionals and business associates with business software and is typically thought of as a low-cost way for businesses to obtain rights to use software as needed versus licensing all devices with all applications.
Even if your website doesn't get too much activity, you still want to make sure that its safe, and not low ball it because you want to save money. I do a lot of software research for my company, and have recently come across this new service called XyberShield. It is a relatively new concept for Internet Security, enacting a Behavior Based Protection that attacks and stops cyber attacks before they cause damage to your website. Everything from SQL Injection, Cross Site Scripting, SSI Injection, Brute Force Attacks, and HTTP Response Splitting is shut down through this service. The best part about it is its cheap compared to other services and products. You might want to check it out if your looking for something to protect your web application with, heres the linkhttp://xybershield.com
Hope I answered some of your questions, let me know if I can be of anymore help!