diff --git a/README.md b/README.md
index f0c995f0c0e7e9a04c8f01d20c228d46926c24ca..4f90ac2f09a63aae1be76ea6dfd968bdca3e6fe2 100644
--- a/README.md
+++ b/README.md
@@ -231,6 +231,7 @@ ipareplica_setup_firewalld=no
 ```
 
 The installation of packages and also the configuration of the firewall are by default enabled.
+Note that it is not enough to mask systemd firewalld service to skip the firewalld configuration. You need to set the variable to `no`.
 
 For more replica settings, please have a look at the [replica role documentation](roles/ipareplica/README.md).
 
diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml
index 259ae3fbe691a7a0b0d44f18859f10c743cca0d6..98681e068fe50c181fae4095f993a915ac94ed8e 100644
--- a/roles/ipareplica/tasks/install.yml
+++ b/roles/ipareplica/tasks/install.yml
@@ -20,6 +20,19 @@
       state: present
     when: ipareplica_setup_adtrust | bool
 
+  - name: Install - Ensure that firewall packages installed
+    package:
+      name: "{{ ipareplica_packages_firewalld }}"
+      state: present
+    when: ipareplica_setup_firewalld | bool
+
+  - name: Firewalld service - Ensure that firewalld is running
+    systemd:
+      name: firewalld
+      enabled: yes
+      state: started
+    when: ipareplica_setup_firewalld | bool
+
   when: ipareplica_install_packages | bool
 
 #- name: Install - Include Python2/3 import test
diff --git a/roles/ipareplica/vars/CentOS-7.yml b/roles/ipareplica/vars/CentOS-7.yml
index 2baa874fc8f1f759ddf2e462aa0341356b15be86..614de3e5a4c20c71714a1a0c7dc96b8f7e4c8ff7 100644
--- a/roles/ipareplica/vars/CentOS-7.yml
+++ b/roles/ipareplica/vars/CentOS-7.yml
@@ -2,4 +2,5 @@
 # vars/RedHat-7.yml
 ipareplica_packages: [ "ipa-server", "libselinux-python" ]
 ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipareplica/vars/Fedora-25.yml b/roles/ipareplica/vars/Fedora-25.yml
index f1dc77f6b740ecc826312efb22af31c18cc49d2f..ce981ff81f3a352532d0ac7f5bfb38db90a27fe4 100644
--- a/roles/ipareplica/vars/Fedora-25.yml
+++ b/roles/ipareplica/vars/Fedora-25.yml
@@ -2,4 +2,5 @@
 # vars/Fedora-25.yml
 ipareplica_packages: [ "ipa-server", "libselinux-python" ]
 ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipareplica/vars/Fedora-26.yml b/roles/ipareplica/vars/Fedora-26.yml
index a52502672b59a04ebc5159d84b3e7aabfa0303ea..5a65e43a895cf3a1c41d3379f659652ba8096d02 100644
--- a/roles/ipareplica/vars/Fedora-26.yml
+++ b/roles/ipareplica/vars/Fedora-26.yml
@@ -2,4 +2,5 @@
 # vars/Fedora-26.yml
 ipareplica_packages: [ "ipa-server", "libselinux-python" ]
 ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipareplica/vars/Fedora-27.yml b/roles/ipareplica/vars/Fedora-27.yml
index f4e7ffcc44dad4c845c92e9f8d2c10e56f9088f4..5d6f02a1eaaf51f4cd2f3ad63d8d543bfa033bb6 100644
--- a/roles/ipareplica/vars/Fedora-27.yml
+++ b/roles/ipareplica/vars/Fedora-27.yml
@@ -2,4 +2,5 @@
 # vars/Fedora.yml
 ipareplica_packages: [ "ipa-server", "libselinux-python" ]
 ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipareplica/vars/Fedora.yml b/roles/ipareplica/vars/Fedora.yml
index 5998d6de6196e5d2134c3d76c2bdf69d63a868e0..f19fb996943418c712a20402e6aad2e09433dc60 100644
--- a/roles/ipareplica/vars/Fedora.yml
+++ b/roles/ipareplica/vars/Fedora.yml
@@ -2,4 +2,5 @@
 # vars/Fedora.yml
 ipareplica_packages: [ "freeipa-server", "python3-libselinux" ]
 ipareplica_packages_dns: [ "freeipa-server-dns" ]
-ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ]
\ No newline at end of file
+ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipareplica/vars/RedHat-7.3.yml b/roles/ipareplica/vars/RedHat-7.3.yml
index f7a951bcf055acec6fea41f1cc9a1c2532e458d0..a0e7ffea6522f2150289c71281096b4cca416729 100644
--- a/roles/ipareplica/vars/RedHat-7.3.yml
+++ b/roles/ipareplica/vars/RedHat-7.3.yml
@@ -2,4 +2,5 @@
 # vars/RedHat-7.3.yml
 ipareplica_packages: [ "ipa-server", "libselinux-python" ]
 ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipareplica/vars/RedHat-7.yml b/roles/ipareplica/vars/RedHat-7.yml
index 2baa874fc8f1f759ddf2e462aa0341356b15be86..614de3e5a4c20c71714a1a0c7dc96b8f7e4c8ff7 100644
--- a/roles/ipareplica/vars/RedHat-7.yml
+++ b/roles/ipareplica/vars/RedHat-7.yml
@@ -2,4 +2,5 @@
 # vars/RedHat-7.yml
 ipareplica_packages: [ "ipa-server", "libselinux-python" ]
 ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipareplica/vars/RedHat-8.yml b/roles/ipareplica/vars/RedHat-8.yml
index 2aad358bb59ecfc0e4df0c2c106dcd18b22a99d6..025730253dfa65685d81a61da93de0eb4bab9634 100644
--- a/roles/ipareplica/vars/RedHat-8.yml
+++ b/roles/ipareplica/vars/RedHat-8.yml
@@ -3,3 +3,4 @@
 ipareplica_packages: [ "@idm:DL1/server" ]
 ipareplica_packages_dns: [ "@idm:DL1/dns" ]
 ipareplica_packages_adtrust: [ "@idm:DL1/adtrust" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
diff --git a/roles/ipareplica/vars/Ubuntu.yml b/roles/ipareplica/vars/Ubuntu.yml
index 761989a6916d6f603be599fe21cfc195def542ff..7cdabbfbde0e0f6d017db9e668b3550a37e0fa26 100644
--- a/roles/ipareplica/vars/Ubuntu.yml
+++ b/roles/ipareplica/vars/Ubuntu.yml
@@ -2,3 +2,4 @@
 ipareplica_packages: [ "freeipa-server" ]
 ipareplica_packages_dns: [ "freeipa-server-dns" ]
 ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
diff --git a/roles/ipareplica/vars/default.yml b/roles/ipareplica/vars/default.yml
index a1898867a04a1a5d1bda93ddd15cf8b594e52b21..ce7393a1b2ee4fa668f7b763716f61bf6414196e 100644
--- a/roles/ipareplica/vars/default.yml
+++ b/roles/ipareplica/vars/default.yml
@@ -3,3 +3,4 @@
 ipareplica_packages: [ "freeipa-server", "python3-libselinux" ]
 ipareplica_packages_dns: [ "freeipa-server-dns" ]
 ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]