The difference lies in their scope: ZTNA is for access control, and a WAF is for application defense.

A Web Application Firewall (WAF) is a security tool that sits in front of web applications (Layer 7) and protects them from specific external exploits, such as SQL injection, cross-site scripting (XSS), and DDoS attacks.

It inspects the actual content of the HTTP/S traffic. ZTNA is an access methodology that determines whether a user is authorized to connect to the application at all. ZTNA verifies the user and device identity before granting a secure connection; the WAF then filters the traffic that is allowed to reach the application via that ZTNA-established connection. They are complementary layers of defense.