diff --git a/roles/agent/defaults/main.yml b/roles/agent/defaults/main.yml
index df37b9a..75cb3ec 100644
--- a/roles/agent/defaults/main.yml
+++ b/roles/agent/defaults/main.yml
@@ -14,3 +14,5 @@ _radiorabe_zabbix_agent_zabbix_agent_tls: cert
 _radiorabe_zabbix_agent_zabbix_agent_cafile: /etc/ipa/ca.crt
 _radiorabe_zabbix_agent_zabbix_agent_tlscertfile: /etc/pki/tls/certs/zabbix-agent.crt
 _radiorabe_zabbix_agent_zabbix_agent_tlskeyfile: /etc/pki/tls/private/zabbix-agent.key
+
+_radiorabe_zabbix_agent_firewall_zone: service
diff --git a/roles/agent/tasks/main.yaml b/roles/agent/tasks/main.yaml
index 025010a..969d66e 100644
--- a/roles/agent/tasks/main.yaml
+++ b/roles/agent/tasks/main.yaml
@@ -98,7 +98,7 @@
   vars:
     firewall:
       - rich_rule: ['rule family="ipv4" source address="{{ _rabe_zabbix_server_ip }}" service name="zabbix-agent" accept']
-        zone: service
+        zone: "{{ _radiorabe_zabbix_agent_firewall_zone }}"
         state: enabled
   tags:
     - role::rabe_zabbix.agent