diff --git a/deployment_scripts/keystone_firewall.pp b/deployment_scripts/keystone_firewall.pp
new file mode 100644
index 0000000..3904a2b
--- /dev/null
+++ b/deployment_scripts/keystone_firewall.pp
@@ -0,0 +1,63 @@
+notice('MODULAR: detach-keystone/keystone_firewall.pp')
+
+$network_scheme   = hiera_hash('network_scheme')
+$network_metadata = hiera_hash('network_metadata')
+
+$corosync_input_port          = 5404
+$corosync_output_port         = 5405
+$keystone_admin_port          = 35357
+$keystone_public_port         = 5000
+$memcached_port               = 11211
+$pcsd_port                    = 2224
+
+$corosync_networks = get_routable_networks_for_network_role($network_scheme, 'mgmt/corosync')
+$memcache_networks = get_routable_networks_for_network_role($network_scheme, 'mgmt/memcache')
+$keystone_networks = get_routable_networks_for_network_role($network_scheme, 'keystone/api')
+
+# allow connections from haproxy namespace
+firewall {'030 allow connections from haproxy namespace':
+  source => '240.0.0.2',
+  action => 'accept',
+}
+
+openstack::firewall::multi_net {'102 keystone':
+  port        => [$keystone_public_port, $keystone_admin_port],
+  proto       => 'tcp',
+  action      => 'accept',
+  source_nets => $keystone_networks,
+}
+
+openstack::firewall::multi_net {'107 memcache tcp':
+  port        => $memcached_port,
+  proto       => 'tcp',
+  action      => 'accept',
+  source_nets => $memcache_networks,
+}
+
+openstack::firewall::multi_net {'107 memcache udp':
+  port        => $memcached_port,
+  proto       => 'udp',
+  action      => 'accept',
+  source_nets => $memcache_networks,
+}
+
+openstack::firewall::multi_net {'113 corosync-input':
+  port        => $corosync_input_port,
+  proto       => 'udp',
+  action      => 'accept',
+  source_nets => $corosync_networks,
+}
+
+openstack::firewall::multi_net {'114 corosync-output':
+  port        => $corosync_output_port,
+  proto       => 'udp',
+  action      => 'accept',
+  source_nets => $corosync_networks,
+}
+
+openstack::firewall::multi_net {'115 pcsd-server':
+  port        => $pcsd_port,
+  proto       => 'tcp',
+  action      => 'accept',
+  source_nets => $corosync_networks,
+}
diff --git a/deployment_tasks.yaml b/deployment_tasks.yaml
index d96429d..282f3dd 100644
--- a/deployment_tasks.yaml
+++ b/deployment_tasks.yaml
@@ -4,8 +4,8 @@
   requires: [deploy_start, primary-standalone-database]
   required_for: [primary-controller, cinder-keystone, nova-keystone, deploy_end]
   tasks: [fuel_pkgs, hiera, globals, tools, logging,
-    netconfig, hosts, firewall, ssl-keys-saving, ssl-add-trust-chain,
-    deploy_start, cluster, keystone-vip, cluster-haproxy,
+    netconfig, hosts, firewall, keystone-firewall, ssl-keys-saving,
+    ssl-add-trust-chain, deploy_start, cluster, keystone-vip, cluster-haproxy,
     openstack-haproxy-stats, task-keystone-db, memcached, apache,
     task-keystone]
   parameters:
@@ -18,8 +18,8 @@
   requires: [deploy_start, primary-standalone-keystone]
   required_for: [primary-controller, cinder-keystone, nova-keystone, deploy_end]
   tasks: [fuel_pkgs, hiera, globals, tools, logging,
-    netconfig, hosts, firewall, ssl-keys-saving, ssl-add-trust-chain,
-    deploy_start, cluster, keystone-vip, cluster-haproxy,
+    netconfig, hosts, firewall, keystone-firewall, ssl-keys-saving,
+    ssl-add-trust-chain, deploy_start, cluster, keystone-vip, cluster-haproxy,
     openstack-haproxy-stats, task-keystone-db, memcached, apache,
     task-keystone]
   parameters:
@@ -60,8 +60,8 @@
 - id: task-keystone
   type: puppet
   role: [primary-standalone-keystone, standalone-keystone]
-  requires: [deploy_start, keystone-haproxy, keystone-vip, task-keystone-db,
-    memcached, apache]
+  requires: [deploy_start, firewall, keystone-firewall, keystone-haproxy, 
+    keystone-vip, task-keystone-db, memcached, apache]
   required_for: [openstack-controller]
   parameters:
     puppet_manifest: '/etc/puppet/modules/osnailyfacter/modular/keystone/keystone.pp'
@@ -82,6 +82,17 @@
     puppet_modules: /etc/puppet/modules
     timeout: 1800
 
+- id: keystone-firewall
+  type: puppet
+  role: [primary-standalone-keystone, standalone-keystone]
+  requires: [keystone-hiera-override, firewall]
+  required_for: [cluster]
+  parameters:
+    puppet_manifest: 'keystone_firewall.pp'
+    puppet_modules: /etc/puppet/modules
+    timeout: 180
+    cwd: /
+
 - id: disable_standalone_keystone_service_token
   type: puppet
   role: [primary-standalone-keystone, standalone-keystone]