diff --git a/defaults/main.yml b/defaults/main.yml
index 32564df9..289b27a7 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -218,6 +218,10 @@ neutron_l3: "{% if 'router' in neutron_plugin_base or 'neutron.services.l3_route
 #TODO(odyssey4me): Remove the class path from this conditional in the Newton cycle
 neutron_metering: "{% if 'metering' in neutron_plugin_base or 'neutron.services.metering.metering_plugin.MeteringPlugin' in neutron_plugin_base %}True{% else %}False{% endif %}"
 
+## Neutron FWaaS
+# Please add the 'firewall' to the neutron_plugin_base list
+neutron_fwaas: "{% if 'firewall' in neutron_plugin_base %}True{% else %}False{% endif %}"
+
 ## Drivers
 neutron_driver_network_scheduler: neutron.scheduler.dhcp_agent_scheduler.WeightScheduler
 neutron_driver_router_scheduler: neutron.scheduler.l3_agent_scheduler.LeastRoutersScheduler
@@ -390,6 +394,7 @@ neutron_pip_packages:
   - keystonemiddleware
   - PyMySQL
   - neutron
+  - neutron_fwaas
   - neutron_lbaas
   - pycrypto
   - python-glanceclient
diff --git a/releasenotes/notes/neutron-fwaas-5c7c6508f2cc05c3.yaml b/releasenotes/notes/neutron-fwaas-5c7c6508f2cc05c3.yaml
new file mode 100644
index 00000000..3048dad9
--- /dev/null
+++ b/releasenotes/notes/neutron-fwaas-5c7c6508f2cc05c3.yaml
@@ -0,0 +1,15 @@
+---
+features:
+  - Neutron Firewall as a Service (FWaaS) can now optionally be deployed and
+    configured. Please see the `FWaaS Configuration Reference
+    <http://docs.openstack.org/admin-guide-cloud/networking_introduction.html#firewall-as-a-service-fwaas-overview>`_
+    for details about the what the service is and what it provides. See the
+    `FWaaS Install Guide <http://docs.openstack.org/developer/openstack-ansible/install-guide/configure-fwaas.html>`_
+    for implementation details.
+upgrade:
+  - Database migration tasks have been added for the FWaaS neutron plugin.
+security:
+  - When enabled, Neutron Firewall as a Service (FWaaS) provides projects the
+    option to implement perimeter security (filtering at the router), adding to
+    filtering at the instance interfaces which is provided by 'Security
+    Groups'.
diff --git a/templates/neutron.conf.j2 b/templates/neutron.conf.j2
index a7f09fb6..17573475 100644
--- a/templates/neutron.conf.j2
+++ b/templates/neutron.conf.j2
@@ -166,6 +166,12 @@ service_provider = LOADBALANCERV2:Haproxy:neutron_lbaas.drivers.haproxy.plugin_d
 
 {% endif %}
 
+{% if neutron_fwaas | bool and neutron_plugin_type != 'plumgrid' %}
+[fwaas]
+enabled = true
+driver = neutron.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver
+{% endif %}
+
 # Agent
 [agent]
 polling_interval = {{ neutron_agent_polling_interval|default(5) }}