diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index b49b776da3ebb5cdc794a6ff24c533012ab70a93..d93dcacc7860925ca30601535581eb153128f88b 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -288,6 +288,7 @@ enable_murano: "no"
 enable_neutron_vpnaas: "no"
 enable_neutron_dvr: "no"
 enable_neutron_lbaas: "no"
+enable_neutron_fwaas: "no"
 enable_neutron_qos: "no"
 enable_neutron_agent_ha: "no"
 enable_octavia: "no"
diff --git a/ansible/roles/neutron/templates/l3_agent.ini.j2 b/ansible/roles/neutron/templates/l3_agent.ini.j2
index 7b513d4eb4d45b2f51a84b7bd23f6af795d82c75..c9dea04a53c8a651b0fb939506cd475249f955c5 100644
--- a/ansible/roles/neutron/templates/l3_agent.ini.j2
+++ b/ansible/roles/neutron/templates/l3_agent.ini.j2
@@ -9,3 +9,8 @@ agent_mode = dvr
 {% else %}
 agent_mode = legacy
 {% endif %}
+{% if enable_neutron_fwaas | bool %}
+[fwaas]
+driver = neutron_fwaas.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver
+enabled = True
+{% endif %}
diff --git a/ansible/roles/neutron/templates/neutron.conf.j2 b/ansible/roles/neutron/templates/neutron.conf.j2
index 8dbd2880ad55eb801c1c3df6bc7f2e9b7c474076..7f679d67247321ebc7efdf5c3e2a0eb31b04da26 100644
--- a/ansible/roles/neutron/templates/neutron.conf.j2
+++ b/ansible/roles/neutron/templates/neutron.conf.j2
@@ -35,7 +35,7 @@ host = {{ ansible_hostname }}_{{ item }}
 
 allow_overlapping_ips = true
 core_plugin = ml2
-service_plugins = router{% if enable_neutron_lbaas | bool %},neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPluginv2{% endif %}{% if enable_neutron_qos | bool %},qos{% endif %}{% if enable_neutron_vpnaas | bool %},neutron_vpnaas.services.vpn.plugin.VPNDriverPlugin{% endif %}{% if neutron_plugin_agent == "sfc" %}flow_classifier,sfc{% endif %}
+service_plugins = router{% if enable_neutron_lbaas | bool %},neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPluginv2{% endif %}{% if enable_neutron_qos | bool %},qos{% endif %}{% if enable_neutron_vpnaas | bool %},neutron_vpnaas.services.vpn.plugin.VPNDriverPlugin{% endif %}{% if neutron_plugin_agent == "sfc" %}flow_classifier,sfc{% endif %}{% if enable_neutron_fwaas | bool %},neutron.services.firewall.fwaas_plugin.FirewallPlugin{% endif %}
 
 {% if enable_neutron_agent_ha | bool %}
 dhcp_agents_per_network = {{ dhcp_agents_per_network }}
diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml
index 51397d6bad8e4409595d8f6f82562b4d13a0719b..0636ce9f314c11931dad7246245b08ab2929e681 100644
--- a/etc/kolla/globals.yml
+++ b/etc/kolla/globals.yml
@@ -146,6 +146,7 @@ kolla_internal_vip_address: "10.10.10.254"
 #enable_multipathd: "no"
 #enable_neutron_dvr: "no"
 #enable_neutron_lbaas: "no"
+#enable_neutron_fwaas: "no"
 #enable_neutron_qos: "no"
 #enable_neutron_agent_ha: "no"
 #enable_neutron_vpnaas: "no"
diff --git a/releasenotes/notes/kolla-neutron-fwaas-751aad2dad2381fc.yaml b/releasenotes/notes/kolla-neutron-fwaas-751aad2dad2381fc.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..0de0082540a1f858d358b03f3e0f276b6944d597
--- /dev/null
+++ b/releasenotes/notes/kolla-neutron-fwaas-751aad2dad2381fc.yaml
@@ -0,0 +1,3 @@
+---
+features:
+  - "Add support for neutron-fwaas. Set 'enable_neutron_fwaas: yes' to enable."