diff --git a/group_vars/all.yml.sample b/group_vars/all.yml.sample
index f80452dd0..754ffd194 100644
--- a/group_vars/all.yml.sample
+++ b/group_vars/all.yml.sample
@@ -63,6 +63,7 @@ dummy:
 
 # Open ports on corresponding nodes if firewall is installed on it
 #ceph_mon_firewall_zone: public
+#ceph_mgr_firewall_zone: public
 #ceph_osd_firewall_zone: public
 #ceph_rgw_firewall_zone: public
 #ceph_mds_firewall_zone: public
diff --git a/group_vars/rhcs.yml.sample b/group_vars/rhcs.yml.sample
index 45b7e3ed1..10157571a 100644
--- a/group_vars/rhcs.yml.sample
+++ b/group_vars/rhcs.yml.sample
@@ -63,6 +63,7 @@ fetch_directory: ~/ceph-ansible-keys
 
 # Open ports on corresponding nodes if firewall is installed on it
 #ceph_mon_firewall_zone: public
+#ceph_mgr_firewall_zone: public
 #ceph_osd_firewall_zone: public
 #ceph_rgw_firewall_zone: public
 #ceph_mds_firewall_zone: public
diff --git a/roles/ceph-common/tasks/misc/configure_firewall_rpm.yml b/roles/ceph-common/tasks/misc/configure_firewall_rpm.yml
index f6da3cb4f..b422a4763 100644
--- a/roles/ceph-common/tasks/misc/configure_firewall_rpm.yml
+++ b/roles/ceph-common/tasks/misc/configure_firewall_rpm.yml
@@ -25,6 +25,22 @@
   tags:
     - firewall
 
+- name: open manager ports
+  firewalld:
+    service: ceph
+    zone: "{{ ceph_mgr_firewall_zone }}"
+    permanent: true
+    immediate: false # if true then fails in case firewalld is stopped
+    state: enabled
+  notify: restart firewalld
+  when:
+    - ceph_release_num[ceph_release] >= ceph_release_num.luminous
+    - mgr_group_name is defined
+    - mgr_group_name in group_names
+    - firewalld_pkg_query.rc == 0
+  tags:
+    - firewall
+
 - name: open osd ports
   firewalld:
     service: ceph
diff --git a/roles/ceph-defaults/defaults/main.yml b/roles/ceph-defaults/defaults/main.yml
index eb74c4964..4f0090910 100644
--- a/roles/ceph-defaults/defaults/main.yml
+++ b/roles/ceph-defaults/defaults/main.yml
@@ -55,6 +55,7 @@ check_firewall: False
 
 # Open ports on corresponding nodes if firewall is installed on it
 ceph_mon_firewall_zone: public
+ceph_mgr_firewall_zone: public
 ceph_osd_firewall_zone: public
 ceph_rgw_firewall_zone: public
 ceph_mds_firewall_zone: public