diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml
index 45567de91..0a4635004 100644
--- a/salt/firewall/defaults.yaml
+++ b/salt/firewall/defaults.yaml
@@ -731,7 +731,6 @@ firewall:
                 - yum
                 - beats_5044
                 - beats_5644
-                - beats_5056
                 - elastic_agent_control
                 - elastic_agent_data
                 - elastic_agent_update
@@ -1159,6 +1158,9 @@ firewall:
       chain:
         DOCKER-USER:
           hostgroups:
+            fleet:
+              portgroups:
+                - beats_5056
             sensor:
               portgroups:
                 - beats_5044
diff --git a/salt/logstash/pipelines/config/so/9806_output_lumberjack_fleet.conf.jinja b/salt/logstash/pipelines/config/so/9806_output_lumberjack_fleet.conf.jinja
index 776488c06..50328e833 100644
--- a/salt/logstash/pipelines/config/so/9806_output_lumberjack_fleet.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9806_output_lumberjack_fleet.conf.jinja
@@ -1,3 +1,13 @@
+{% set FAILOVER_LOGSTASH_NODES = [] %}
+{% set node_data = salt['pillar.get']('logstash:nodes', {GLOBALS.role.split('-')[1]: {GLOBALS.hostname: {'ip': GLOBALS.node_ip}}}) %}
+{% for node_type, node_details in node_data.items() | sort %}
+{%   if node_type not in ['heavynode', 'fleet', 'searchnode'] %}
+{%     for hostname in node_data[node_type].keys() %}
+{%       do FAILOVER_LOGSTASH_NODES.append(node_details[hostname].ip) %}
+{%     endfor %}
+{%   endif %}
+{% endfor %}
+
 filter {
        mutate {
                     add_tag => "fleet-lumberjack-{{ GLOBALS.hostname }}"
@@ -7,7 +17,7 @@ filter {
 output { 
     lumberjack { 
         codec => json 
-        hosts => "{{ GLOBALS.manager }}"
+        hosts => {{  FAILOVER_LOGSTASH_NODES }}
         ssl_certificate => "/usr/share/filebeat/ca.crt"
         port => 5056 
         id => "fleet-lumberjack-{{ GLOBALS.hostname }}"