diff --git a/manifests/init.pp b/manifests/init.pp
index 6dcd4b74..8928b875 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -175,7 +175,7 @@
 
   if $default_zone {
     exec { 'firewalld::set_default_zone':
-      command => "firewall-cmd --set-default-zone ${default_zone} || firewall-offline-cmd --set-default-zone ${default_zone}",
+      command => ['firewall-cmd --set-default-zone ', $default_zone, ' || firewall-offline-cmd --set-default-zone ', $default_zone],
       unless  => "[ $(firewall-cmd --get-default-zone || firewall-offline-cmd --get-default-zone) = ${default_zone} ]",
       require => Service['firewalld'],
     }
@@ -185,7 +185,7 @@
 
   if $log_denied {
     exec { 'firewalld::set_log_denied':
-      command => "firewall-cmd --set-log-denied ${log_denied} || firewall-offline-cmd --set-log-denied ${log_denied}",
+      command => ['firewall-cmd --set-log-denied ', $log_denied, ' || firewall-offline-cmd --set-log-denied ', $log_denied],
       unless  => "[ $(firewall-cmd --get-log-denied || firewall-offline-cmd --get-log-denied) = ${log_denied} ]",
       require => Service['firewalld'],
     }
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
index 3783594f..42de5761 100644
--- a/spec/classes/init_spec.rb
+++ b/spec/classes/init_spec.rb
@@ -43,7 +43,7 @@
 
     it do
       is_expected.to contain_exec('firewalld::set_default_zone').with(
-        command: 'firewall-cmd --set-default-zone restricted || firewall-offline-cmd --set-default-zone restricted',
+        command: ['firewall-cmd --set-default-zone ', 'restricted', ' || firewall-offline-cmd --set-default-zone ', 'restricted'],
         unless: '[ $(firewall-cmd --get-default-zone || firewall-offline-cmd --get-default-zone) = restricted ]'
       ).that_requires('Service[firewalld]')
     end
@@ -243,7 +243,7 @@
 
     it do
       is_expected.to contain_exec('firewalld::set_default_zone').with(
-        command: 'firewall-cmd --set-default-zone public || firewall-offline-cmd --set-default-zone public',
+        command: ['firewall-cmd --set-default-zone ', 'public', ' || firewall-offline-cmd --set-default-zone ', 'public'],
         unless: '[ $(firewall-cmd --get-default-zone || firewall-offline-cmd --get-default-zone) = public ]'
       ).that_requires('Service[firewalld]')
     end
@@ -259,7 +259,7 @@
 
       it do
         is_expected.to contain_exec('firewalld::set_log_denied').with(
-          command: "firewall-cmd --set-log-denied #{cond} || firewall-offline-cmd --set-log-denied #{cond}",
+          command: ['firewall-cmd --set-log-denied ', cond, ' || firewall-offline-cmd --set-log-denied ', cond],
           unless: "[ $(firewall-cmd --get-log-denied || firewall-offline-cmd --get-log-denied) = #{cond} ]"
         ).that_requires('Service[firewalld]')
       end