diff --git a/roles/libvirt_manager/README.md b/roles/libvirt_manager/README.md
index 33404eb389..daa0b2fc40 100644
--- a/roles/libvirt_manager/README.md
+++ b/roles/libvirt_manager/README.md
@@ -44,7 +44,7 @@ Used for checking if:
 * `cifmw_libvirt_manager_attach_dummy_interface_on_bridges`: (Bool) Attach dummy interface on bridges. Defaults to `true`.
 * `cifmw_libvirt_manager_default_gw_nets`: (List[String]) List of networks used as default gateway. If not set, defaults to the `cifmw_libvirt_manager_pub_net`. Read bellow for more information about that parameter.
 * `cifmw_libvirt_manager_vm_users`: (List[Dict]) Used to override the default list of users enabled in the vm. For its format, refers to cloud-init [documentation](https://cloudinit.readthedocs.io/en/latest/reference/modules.html#users-and-groups) about `users`. Defaults to `[]`.
-* `cifmw_libvirt_manager_extra_network_configuration`: (Dict) Extra network configuration in nmstate format for the hypervisor. This configuration is applied after creating the libvirt networks, so it can be used to create VLAN interfaces on the libvirt bridges. Defaults to: `{}`.
+* `cifmw_libvirt_manager_extra_network_configuration`: (Dict) Extra network configuration in nmstate format for the hypervisor. This configuration is applied after creating the libvirt networks, so it can be used to create VLAN interfaces on the libvirt bridges. In addition to nmstate, it also supports a `cifmw_firewall_zone` hint in nmstate interfaces.  Defaults to: `{}`.
 
 ### `cifmw_libvirt_manager_default_gw_nets` parameter usage
 
@@ -114,6 +114,7 @@ _networks:
 cifmw_libvirt_manager_extra_network_configuration:
   interfaces:
     - name: vlan10
+      cifmw_firewall_zone: libvirt
       type: vlan
       state: up
       vlan:
diff --git a/roles/libvirt_manager/molecule/ocp_layout/converge.yml b/roles/libvirt_manager/molecule/ocp_layout/converge.yml
index 2cb66ee38b..9b52ae98fd 100644
--- a/roles/libvirt_manager/molecule/ocp_layout/converge.yml
+++ b/roles/libvirt_manager/molecule/ocp_layout/converge.yml
@@ -70,6 +70,7 @@
         cifmw_libvirt_manager_extra_network_configuration:
           interfaces:
             - name: "vlan{{ cifmw_networking_definition.networks.internalapi.vlan }}"
+              cifmw_firewall_zone: libvirt
               type: vlan
               state: up
               vlan:
@@ -83,6 +84,7 @@
                   - ip: "{{ cifmw_networking_definition.networks.internalapi.gateway }}"
                     prefix-length: "{{ cifmw_networking_definition.networks.internalapi.network | ansible.utils.ipaddr('prefix') }}"
             - name: "vlan{{ cifmw_networking_definition.networks.storage.vlan }}"
+              cifmw_firewall_zone: libvirt
               type: vlan
               state: up
               vlan:
@@ -197,6 +199,11 @@
           register: _ip_link_show
           ansible.builtin.command: ip -json link show
 
+        - name: List libvirt firewall zone interfaces
+          become: true
+          register: _libvirt_zone_interfaces
+          ansible.builtin.command: firewall-cmd --zone=libvirt --list-interfaces
+
         - name: Ensure the VLAN interfaces was created
           vars:
             _vlan_interfaces:
@@ -209,3 +216,16 @@
             msg: >-
               Expected vlan {{ item }} not found
           loop: "{{ _vlan_interfaces }}"
+
+        - name: Ensure the VLAN interfaces is in the correct firewall zone
+          vars:
+            _vlan_interfaces:
+              - "vlan{{ cifmw_networking_definition.networks.internalapi.vlan }}"
+              - "vlan{{ cifmw_networking_definition.networks.storage.vlan }}"
+          ansible.builtin.assert:
+            quiet: true
+            that:
+              - "'{{ item }}' in _libvirt_zone_interfaces.stdout"
+            msg: >-
+              Expected vlan {{ item }} not found in libvirt firewall zone
+          loop: "{{ _vlan_interfaces }}"
diff --git a/roles/libvirt_manager/tasks/create_networks.yml b/roles/libvirt_manager/tasks/create_networks.yml
index 2e0e70a387..3dc13f87a7 100644
--- a/roles/libvirt_manager/tasks/create_networks.yml
+++ b/roles/libvirt_manager/tasks/create_networks.yml
@@ -90,11 +90,31 @@
   when: cifmw_libvirt_manager_extra_network_configuration | default({}) | length > 0
   vars:
     cifmw_ci_nmstate_unmanaged_host: "{{ inventory_hostname }}"
-    cifmw_ci_nmstate_unmanaged_node_config: "{{ cifmw_libvirt_manager_extra_network_configuration }}"
+    cifmw_ci_nmstate_unmanaged_node_config: >-
+      {{
+        cifmw_libvirt_manager_extra_network_configuration |
+        ansible.utils.remove_keys(target='cifmw_firewall_zone')
+      }}
   ansible.builtin.include_role:
     name: "ci_nmstate"
     tasks_from: "nmstate_unmanaged_provision_node.yml"
 
+- name: Ensure extra networks is in correct zone
+  when:
+    - cifmw_libvirt_manager_extra_network_configuration | default({}) | length > 0
+  become: true
+  notify: Restart firewalld
+  ansible.builtin.shell:
+    cmd: >-
+      firewall-cmd --zone {{ item.cifmw_firewall_zone }}
+      --change-interface={{ item.name }}
+      --permanent;
+  loop: "{{ cifmw_libvirt_manager_extra_network_configuration.interfaces | default([]) }}"
+  loop_control:
+    label: "{{ item.name }}"
+  async: 120
+  poll: 0
+
 ## Ensure we get dnsmasq DHCP service for all created networks
 # Refreshing network facts will ensure we get the new interfaces.
 # They (usually?) have the same name as the network itself.