diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow
index f902d659c..a49a694a6 100755
--- a/salt/common/tools/sbin/so-allow
+++ b/salt/common/tools/sbin/so-allow
@@ -21,6 +21,30 @@ local_salt_dir=/opt/so/saltstack/local
 
 SKIP=0
 
+function usage {
+
+cat << EOF
+
+Usage: $0 [-abefhoprsw] [ -i IP ]
+
+This program allows you to add a firewall rule to allow connections from a new IP address or CIDR range.
+
+If you run this program with no arguments, it will present a menu for you to choose your options.
+
+If you want to automate and skip the menu, you can pass the desired options as command line arguments.
+
+EXAMPLES
+
+To add 10.1.2.3 to the analyst role:
+so-allow -a -i 10.1.2.3
+
+To add 10.1.2.0/24 to the osquery role:
+so-allow -o -i 10.1.2.0/24
+
+EOF
+
+}
+
 while getopts "ahfesprbowi:" OPTION
 do
     case $OPTION in
@@ -36,7 +60,7 @@ do
             FULLROLE="beats_endpoint"
             SKIP=1
             ;;
-	    e)
+	e)
             FULLROLE="elasticsearch_rest"
             SKIP=1
             ;;