diff --git a/roles/ipaserver/defaults/main.yml b/roles/ipaserver/defaults/main.yml
index 79f61c2f4fa2ed82ea63820d22d2fc683f564fbd..b2ff174c758b1997e6f58f0191ddb499f6273499 100644
--- a/roles/ipaserver/defaults/main.yml
+++ b/roles/ipaserver/defaults/main.yml
@@ -30,6 +30,8 @@ ipaserver_no_dnssec_validation: no
 ### ad trust ###
 ipaserver_enable_compat: no
 ipaserver_setup_ca: yes
+### firewalld ###
+ipaserver_no_firewalld: no
 
 ### additional ###
 ipaserver_allow_missing: [ ]
diff --git a/roles/ipaserver/tasks/install.yml b/roles/ipaserver/tasks/install.yml
index de914c8bb9698c209734faf27500f629ea3b3c5b..a08c40f707015bf920273444f3ad6c8bb78054b0 100644
--- a/roles/ipaserver/tasks/install.yml
+++ b/roles/ipaserver/tasks/install.yml
@@ -361,3 +361,22 @@
       path: "/root/.ipa_cache"
       state: absent
     when: result_ipaserver_enable_ipa.changed
+
+  - name: Install - Configure firewalld
+    command: >
+      firewall-cmd
+      --permanent
+      --add-service=freeipa-ldap
+      --add-service=freeipa-ldaps
+      {{ "--add-service=dns" if ipaserver_setup_dns | bool else "" }}
+      {{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}
+    when: not ipaserver_no_firewalld | bool
+
+  - name: Install - Configure firewalld runtime
+    command: >
+      firewall-cmd
+      --add-service=freeipa-ldap
+      --add-service=freeipa-ldaps
+      {{ "--add-service=dns" if ipaserver_setup_dns | bool else "" }}
+      {{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}
+    when: not ipaserver_no_firewalld | bool