SUSE Support

Here When You Need Us

Firewalld hiccups and troubleshooting after upgrading to SLES 15 SP3 or later

This document (000020399) is provided subject to the disclaimer at the end of this document.


SUSE Linux Enterprise Server 15 SP3


After Upgrading to SLES 15 SP3 and later, the firewalld service refuses to start or generally behaves erratically.
With this upgrade, this package has made a major development step, which, depending on the scope of the existing firewall configuration, requires some customization.


Firewalld adjustments after upgrade

Before you start, make sure to keep a copy of /etc/firewalld somewhere, e.g.
$ cd /etc
$ cp -a firewalld firewalld-$(date +%Y%m%d-%H%M%S)

Now check all files in /etc/firewalld for .rpm* and .old extensions. Most probably, you will find a file called firewalld.conf.rpmnew. The .rpmnew file contains the new default configuration for firewalld. Check whether you have any non default settings that are essential to the correct functioning of your firewall:
$ diff -u firewalld.conf{,.rpmnew} > firewalld.conf.diff
$ cp firewalld.conf{.rpmnew,}

$ vi -o firewalld.conf{,.diff}
Specifically, check/restore the DefaultZone setting. Most other settings should be left at the new value, or  don't exist anymore. Please do the same for all .old files.

The operation of new default firewall backend nftables is more strict in certain areas, eg. when using ipsets, make sure, that the address spaces do not overlap. Please read the "Additional Information" section, if you changed your firewall backend.
$ systemctl restart firewalld.service

Your firewall setup should be operational now. Check with:
$ systemctl status firewalld.service

Firewalld debugging

If the firewalld service still fails, and system logs doesn't show an obvious reason, we need to conduct a couple of steps to reveal the cause since debugging output is disabled by default.

$ systemctl edit --full firewalld.service
Comment out the lines

Change /etc/sysconfig/firewalld:
# firewalld command line args
# possible values: --debug

Restart the firewall:
$ systemctl restart firewalld.service

If it still doesn't work properly, please check the logs:
$ journalctl -u firewalld.service

If you are unable to troubleshot the problem with the debug output, please open a support case and provide a supportconfig and use tar to compress the full /etc/firewalld tree:

$ cd /etc/
$ tar cvf /tmp/etc-firewalld-$(date +%Y%m%d-%H%M%S).tar.gz firewalld

and provide the file /tmp/etc-firewalld-*.tar.gz together with the supportconfig.


Reported to Engineering

Additional Information

The default firewalld backend changed from "iptables" to "nftables" in order to overcome a couple of limitations, and to reduce the dependency to a single kernel filtering framework.

Please note, that for internal reasons, you should reboot the system, if you change the firewall backend.


This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020399
  • Creation Date: 28-Sep-2021
  • Modified Date:06-Dec-2021
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.