diff --git a/manifests/server/firewall.pp b/manifests/server/firewall.pp
index 4330e053..20d86e6f 100644
--- a/manifests/server/firewall.pp
+++ b/manifests/server/firewall.pp
@@ -7,9 +7,9 @@
   $ssl_port       = $puppetdb::params::ssl_listen_port,
   $open_ssl_port  = $puppetdb::params::open_ssl_listen_port,
 ) inherits puppetdb::params {
-  include firewall
-
   if ($open_http_port) {
+    include firewall
+
     firewall { "${http_port} accept - puppetdb":
       dport => $http_port,
       proto => 'tcp',
@@ -18,6 +18,8 @@
   }
 
   if ($open_ssl_port) {
+    include firewall
+
     firewall { "${ssl_port} accept - puppetdb":
       dport => $ssl_port,
       proto => 'tcp',