diff --git a/config.yaml b/config.yaml
index dd63df93..26643c9b 100644
--- a/config.yaml
+++ b/config.yaml
@@ -327,6 +327,13 @@ options:
       for Neutron agents (DHCP and L3 agents). This option overrides the
       default-availability-zone charm config setting only when the Juju
       provider sets JUJU_AVAILABILITY_ZONE.
+  firewall-driver:
+    type: string
+    default:
+    description: |
+      Firewall driver to use to support use of security groups with
+      instances; valid values include iptables_hybrid (default) and
+      openvswitch. This config option is ignored for < Queens.
   firewall-group-log-output-base:
     type: string
     default:
diff --git a/hooks/neutron_contexts.py b/hooks/neutron_contexts.py
index 4abec69e..abe181b0 100644
--- a/hooks/neutron_contexts.py
+++ b/hooks/neutron_contexts.py
@@ -49,10 +49,28 @@ CORE_PLUGIN = {
     OVS_ODL: NEUTRON_OVS_ODL_PLUGIN,
 }
 
+IPTABLES_HYBRID = 'iptables_hybrid'
+OPENVSWITCH = 'openvswitch'
+VALID_FIREWALL_DRIVERS = (IPTABLES_HYBRID, OPENVSWITCH)
+
 NFG_LOG_RATE_LIMIT_MIN = 100
 NFG_LOG_BURST_LIMIT_MIN = 25
 
 
+def _get_firewall_driver():
+    '''
+    Determine the firewall driver to use based on configuration,
+    OpenStack and Ubuntu releases.
+
+    @returns str: firewall driver to use for OpenvSwitch
+    '''
+    driver = config('firewall-driver') or IPTABLES_HYBRID
+    if driver not in VALID_FIREWALL_DRIVERS:
+        return IPTABLES_HYBRID
+
+    return driver
+
+
 def get_availability_zone():
     use_juju_az = config('customize-failure-domain')
     juju_az = os.environ.get('JUJU_AVAILABILITY_ZONE')
@@ -217,6 +235,8 @@ class NeutronGatewayContext(NeutronAPIContext):
                 NFG_LOG_BURST_LIMIT_MIN
             )
 
+        ctxt['firewall_driver'] = _get_firewall_driver()
+
         return ctxt
 
 
diff --git a/templates/queens/openvswitch_agent.ini b/templates/queens/openvswitch_agent.ini
index 347e7bb3..876bf47d 100644
--- a/templates/queens/openvswitch_agent.ini
+++ b/templates/queens/openvswitch_agent.ini
@@ -23,4 +23,4 @@ extensions = {{ extension_drivers }}
 {% endif %}
 
 [securitygroup]
-firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
+firewall_driver = {{ firewall_driver }}
diff --git a/unit_tests/test_neutron_contexts.py b/unit_tests/test_neutron_contexts.py
index 0ee15c22..62527ce0 100644
--- a/unit_tests/test_neutron_contexts.py
+++ b/unit_tests/test_neutron_contexts.py
@@ -240,6 +240,7 @@ class TestNeutronGatewayContext(CharmTestCase):
             'nfg_log_rate_limit': 100,
             'ovsdb_timeout': 10,
             'keepalived_healthcheck_interval': 0,
+            'firewall_driver': "iptables_hybrid",
         })
 
     @patch.object(neutron_contexts, 'validate_nfg_log_path', lambda x: x)
@@ -303,6 +304,7 @@ class TestNeutronGatewayContext(CharmTestCase):
             'nfg_log_rate_limit': None,
             'ovsdb_timeout': 60,
             'keepalived_healthcheck_interval': 0,
+            'firewall_driver': "iptables_hybrid",
         })
 
     @patch('os.environ.get')