diff --git a/salt/firewall/containers.map.jinja b/salt/firewall/containers.map.jinja
index bd4cf72f1..a2114258f 100644
--- a/salt/firewall/containers.map.jinja
+++ b/salt/firewall/containers.map.jinja
@@ -22,9 +22,8 @@
      'so-strelka-manager',
      'so-strelka-filestream'
 ] %}
-{% endif %}
 
-{% if GLOBALS.role == 'so-manager' or GLOBALS.role == 'so-standalone' or GLOBALS.role == 'so-managersearch' %}
+{% elif GLOBALS.role == 'so-manager' or GLOBALS.role == 'so-standalone' or GLOBALS.role == 'so-managersearch' %}
 {% set NODE_CONTAINERS = [
      'so-curator',
      'so-dockerregistry',
@@ -47,17 +46,15 @@
      'so-strelka-manager',
      'so-strelka-filestream'
 ] %}
-{% endif %}
 
-{% if GLOBALS.role == 'so-searchnode' %}
+{% elif GLOBALS.role == 'so-searchnode' %}
 {% set NODE_CONTAINERS = [
      'so-elasticsearch',
      'so-logstash',
      'so-nginx'
 ] %}
-{% endif %}
 
-{% if GLOBALS.role == 'so-heavynode' %}
+{% elif GLOBALS.role == 'so-heavynode' %}
 {% set NODE_CONTAINERS = [
      'so-curator',
      'so-elasticsearch',
@@ -71,9 +68,8 @@
      'so-strelka-manager',
      'so-strelka-filestream'
 ] %}
-{% endif %}
 
-{% if GLOBALS.role == 'so-import' %}
+{% elif GLOBALS.role == 'so-import' %}
 {% set NODE_CONTAINERS = [
      'so-dockerregistry',
      'so-elasticsearch',
@@ -85,17 +81,22 @@
      'so-nginx',
      'so-soc'
 ] %}
-{% endif %}
 
-{% if GLOBALS.role == 'so-receiver' %}
+{% elif GLOBALS.role == 'so-receiver' %}
 {% set NODE_CONTAINERS = [
      'so-logstash',
      'so-redis',
 ] %}
-{% endif %}
 
-{% if GLOBALS.role == 'so-idh' %}
+{% elif GLOBALS.role == 'so-idh' %}
 {% set NODE_CONTAINERS = [
      'so-idh',
 ] %}
+
+{% elif GLOBALS.role == 'so-sensor' %}
+{% set NODE_CONTAINERS = [] %}
+
+{% else %}
+{% set NODE_CONTAINERS = [] %}
+
 {% endif %}
diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls
index 12aaed39e..f59a39aca 100644
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -1,11 +1,6 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls in allowed_states %}
 
-disable_firewalld:
-  service.dead:
-    - name: firewalld
-    - enable: False
-
 create_sysconfig_iptables:
   file.touch:
     - name: /etc/sysconfig/iptables
@@ -18,10 +13,25 @@ iptables_config:
     - source: salt://firewall/iptables.jinja
     - template: jinja
 
+disable_firewalld:
+  service.dead:
+    - name: firewalld
+    - enable: False
+    - require:
+      - file: iptables_config
+
 iptables_restore:
   cmd.run:
     - name: iptables-restore < /etc/sysconfig/iptables
 
+enable_firewalld:
+  service.running:
+    - name: firewalld
+    - enable: True
+    - onfail:
+      - file: iptables_config
+      - cmd: iptables_restore
+
 {% else %}
 
 {{sls}}_state_not_allowed: