diff --git a/salt/firewall/containers.map.jinja b/salt/firewall/containers.map.jinja
index bd4cf72f1..a2114258f 100644
--- a/salt/firewall/containers.map.jinja
+++ b/salt/firewall/containers.map.jinja
@@ -22,9 +22,8 @@
      'so-strelka-manager',
      'so-strelka-filestream'
 ] %}
-{% endif %}
 
-{% if GLOBALS.role == 'so-manager' or GLOBALS.role == 'so-standalone' or GLOBALS.role == 'so-managersearch' %}
+{% elif GLOBALS.role == 'so-manager' or GLOBALS.role == 'so-standalone' or GLOBALS.role == 'so-managersearch' %}
 {% set NODE_CONTAINERS = [
      'so-curator',
      'so-dockerregistry',
@@ -47,17 +46,15 @@
      'so-strelka-manager',
      'so-strelka-filestream'
 ] %}
-{% endif %}
 
-{% if GLOBALS.role == 'so-searchnode' %}
+{% elif GLOBALS.role == 'so-searchnode' %}
 {% set NODE_CONTAINERS = [
      'so-elasticsearch',
      'so-logstash',
      'so-nginx'
 ] %}
-{% endif %}
 
-{% if GLOBALS.role == 'so-heavynode' %}
+{% elif GLOBALS.role == 'so-heavynode' %}
 {% set NODE_CONTAINERS = [
      'so-curator',
      'so-elasticsearch',
@@ -71,9 +68,8 @@
      'so-strelka-manager',
      'so-strelka-filestream'
 ] %}
-{% endif %}
 
-{% if GLOBALS.role == 'so-import' %}
+{% elif GLOBALS.role == 'so-import' %}
 {% set NODE_CONTAINERS = [
      'so-dockerregistry',
      'so-elasticsearch',
@@ -85,17 +81,22 @@
      'so-nginx',
      'so-soc'
 ] %}
-{% endif %}
 
-{% if GLOBALS.role == 'so-receiver' %}
+{% elif GLOBALS.role == 'so-receiver' %}
 {% set NODE_CONTAINERS = [
      'so-logstash',
      'so-redis',
 ] %}
-{% endif %}
 
-{% if GLOBALS.role == 'so-idh' %}
+{% elif GLOBALS.role == 'so-idh' %}
 {% set NODE_CONTAINERS = [
      'so-idh',
 ] %}
+
+{% elif GLOBALS.role == 'so-sensor' %}
+{% set NODE_CONTAINERS = [] %}
+
+{% else %}
+{% set NODE_CONTAINERS = [] %}
+
 {% endif %}
diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls
index 12aaed39e..63e8d326b 100644
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -5,6 +5,8 @@ disable_firewalld:
   service.dead:
     - name: firewalld
     - enable: False
+    - prereq:
+      - file: iptables_config
 
 create_sysconfig_iptables:
   file.touch:
@@ -22,6 +24,14 @@ iptables_restore:
   cmd.run:
     - name: iptables-restore < /etc/sysconfig/iptables
 
+enable_firewalld:
+  service.enabled:
+    - name: firewalld
+    - enable: True
+    - onfail:
+      - file: iptables_config
+      - cmd: iptables_restore
+
 {% else %}
 
 {{sls}}_state_not_allowed: