diff --git a/configure.ac b/configure.ac
index 808884f2f7..4dcdd12069 100644
--- a/configure.ac
+++ b/configure.ac
@@ -246,6 +246,7 @@ LIBVIRT_ARG_CAPNG
 LIBVIRT_ARG_CURL
 LIBVIRT_ARG_DBUS
 LIBVIRT_ARG_FIREWALLD
+LIBVIRT_ARG_FIREWALLD_ZONE
 LIBVIRT_ARG_FUSE
 LIBVIRT_ARG_GLUSTER
 LIBVIRT_ARG_HAL
@@ -286,6 +287,7 @@ LIBVIRT_CHECK_DBUS
 LIBVIRT_CHECK_DEVMAPPER
 LIBVIRT_CHECK_DLOPEN
 LIBVIRT_CHECK_FIREWALLD
+LIBVIRT_CHECK_FIREWALLD_ZONE
 LIBVIRT_CHECK_FUSE
 LIBVIRT_CHECK_GLUSTER
 LIBVIRT_CHECK_GNUTLS
@@ -1000,6 +1002,7 @@ LIBVIRT_RESULT_CURL
 LIBVIRT_RESULT_DBUS
 LIBVIRT_RESULT_DLOPEN
 LIBVIRT_RESULT_FIREWALLD
+LIBVIRT_RESULT_FIREWALLD_ZONE
 LIBVIRT_RESULT_FUSE
 LIBVIRT_RESULT_GLUSTER
 LIBVIRT_RESULT_GNUTLS
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 879e315f49..c0e538d92d 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -82,6 +82,7 @@
 %define with_sanlock       0%{!?_without_sanlock:0}
 %define with_numad         0%{!?_without_numad:0}
 %define with_firewalld     0%{!?_without_firewalld:0}
+%define with_firewalld_zone 0%{!?_without_firewalld_zone:0}
 %define with_libssh2       0%{!?_without_libssh2:0}
 %define with_wireshark     0%{!?_without_wireshark:0}
 %define with_libssh        0%{!?_without_libssh:0}
@@ -136,6 +137,11 @@
 
 %define with_firewalld 1
 
+%if 0%{?fedora} >= 30 || 0%{?rhel} > 7
+    %define with_firewalld_zone 0%{!?_without_firewalld_zone:1}
+%endif
+
+
 # fuse is used to provide virtualized /proc for LXC
 %if %{with_lxc}
     %define with_fuse      0%{!?_without_fuse:1}
@@ -395,6 +401,10 @@ BuildRequires: rpcgen
 BuildRequires: libtirpc-devel
 %endif
 
+%if %{with_firewalld_zone}
+BuildRequires: firewalld-filesystem
+%endif
+
 Provides: bundled(gnulib)
 
 %description
@@ -1093,6 +1103,12 @@ exit 1
     %define arg_firewalld --without-firewalld
 %endif
 
+%if %{with_firewalld_zone}
+    %define arg_firewalld_zone --with-firewalld-zone
+%else
+    %define arg_firewalld_zone --without-firewalld-zone
+%endif
+
 %if %{with_wireshark}
     %define arg_wireshark --with-wireshark-dissector
 %else
@@ -1191,6 +1207,7 @@ rm -f po/stamp-po
            --with-dtrace \
            --with-driver-modules \
            %{?arg_firewalld} \
+           %{?arg_firewalld_zone} \
            %{?arg_wireshark} \
            --without-pm-utils \
            --with-nss-plugin \
@@ -1358,6 +1375,16 @@ if [ -f %{_localstatedir}/lib/rpm-state/libvirt/restart ]; then
 fi
 rm -rf %{_localstatedir}/lib/rpm-state/libvirt || :
 
+%post daemon-driver-network
+%if %{with_firewalld}
+    %firewalld_reload
+%endif
+
+%postun daemon-driver-network
+%if %{with_firewalld}
+    %firewalld_reload
+%endif
+
 %post daemon-config-network
 if test $1 -eq 1 && test ! -f %{_sysconfdir}/libvirt/qemu/networks/default.xml ; then
     # see if the network used by default network creates a conflict,
@@ -1596,6 +1623,10 @@ exit 0
 %attr(0755, root, root) %{_libexecdir}/libvirt_leaseshelper
 %{_libdir}/%{name}/connection-driver/libvirt_driver_network.so
 
+%if %{with_firewalld_zone}
+%{_prefix}/lib/firewalld/zones/libvirt.xml
+%endif
+
 %files daemon-driver-nodedev
 %{_libdir}/%{name}/connection-driver/libvirt_driver_nodedev.so
 
diff --git a/m4/virt-firewalld-zone.m4 b/m4/virt-firewalld-zone.m4
new file mode 100644
index 0000000000..b67d1a0b2f
--- /dev/null
+++ b/m4/virt-firewalld-zone.m4
@@ -0,0 +1,45 @@
+dnl firewalld_zone check - whether or not to install the firewall "libvirt" zone
+dnl
+dnl Copyright (C) 2019 Red Hat, Inc.
+dnl
+dnl This library is free software; you can redistribute it and/or
+dnl modify it under the terms of the GNU Lesser General Public
+dnl License as published by the Free Software Foundation; either
+dnl version 2.1 of the License, or (at your option) any later version.
+dnl
+dnl This library is distributed in the hope that it will be useful,
+dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
+dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+dnl Lesser General Public License for more details.
+dnl
+dnl You should have received a copy of the GNU Lesser General Public
+dnl License along with this library.  If not, see
+dnl <http://www.gnu.org/licenses/>.
+dnl
+
+AC_DEFUN([LIBVIRT_ARG_FIREWALLD_ZONE], [
+  LIBVIRT_ARG_WITH([FIREWALLD_ZONE], [Whether to install firewalld libvirt zone], [check])
+])
+
+AC_DEFUN([LIBVIRT_CHECK_FIREWALLD_ZONE], [
+  AC_REQUIRE([LIBVIRT_CHECK_FIREWALLD])
+  AC_MSG_CHECKING([for whether to install firewalld libvirt zone])
+
+  if test "x$with_firewalld_zone" = "xcheck" ; then
+    with_firewalld_zone=$with_firewalld
+  fi
+
+  if test "x$with_firewalld_zone" = "xyes" ; then
+    if test "x$with_firewalld" != "xyes" ; then
+      AC_MSG_ERROR([You must have firewalld support enabled to enable firewalld-zone])
+    fi
+    AC_DEFINE_UNQUOTED([WITH_FIREWALLD_ZONE], [1], [whether firewalld libvirt zone is installed])
+  fi
+
+  AM_CONDITIONAL([WITH_FIREWALLD_ZONE], [test "x$with_firewalld_zone" != "xno"])
+  AC_MSG_RESULT($with_firewalld_zone)
+])
+
+AC_DEFUN([LIBVIRT_RESULT_FIREWALLD_ZONE], [
+  LIBVIRT_RESULT([firewalld-zone], [$with_firewalld_zone])
+])
diff --git a/src/network/Makefile.inc.am b/src/network/Makefile.inc.am
index 508c8c0422..cbaaa7ea68 100644
--- a/src/network/Makefile.inc.am
+++ b/src/network/Makefile.inc.am
@@ -87,6 +87,11 @@ install-data-network:
 	( cd $(DESTDIR)$(confdir)/qemu/networks/autostart && \
 	  rm -f default.xml && \
 	  $(LN_S) ../default.xml default.xml )
+if WITH_FIREWALLD_ZONE
+	$(MKDIR_P) "$(DESTDIR)$(prefix)/lib/firewalld/zones"
+	$(INSTALL_DATA) $(srcdir)/network/libvirt.zone \
+	  $(DESTDIR)$(prefix)/lib/firewalld/zones/libvirt.xml
+endif WITH_FIREWALLD_ZONE
 
 uninstall-data-network:
 	rm -f $(DESTDIR)$(confdir)/qemu/networks/autostart/default.xml
@@ -95,10 +100,13 @@ uninstall-data-network:
 	rmdir "$(DESTDIR)$(confdir)/qemu/networks" || :
 	rmdir "$(DESTDIR)$(localstatedir)/lib/libvirt/network" ||:
 	rmdir "$(DESTDIR)$(localstatedir)/run/libvirt/network" ||:
+if WITH_FIREWALLD_ZONE
+	rm -f  $(DESTDIR)$(prefix)/lib/firewalld/zones/libvirt.xml
+endif WITH_FIREWALLD_ZONE
 
 endif WITH_NETWORK
 
-EXTRA_DIST += network/default.xml
+EXTRA_DIST += network/default.xml network/libvirt.zone
 
 .PHONY: \
 	install-data-network \
diff --git a/src/network/libvirt.zone b/src/network/libvirt.zone
new file mode 100644
index 0000000000..bf81db1b6e
--- /dev/null
+++ b/src/network/libvirt.zone
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone target="ACCEPT">
+  <short>libvirt</short>
+
+  <description>
+    The default policy of "ACCEPT" allows all packets to/from
+    interfaces in the zone to be forwarded, while the (*low priority*)
+    reject rule blocks any traffic destined for the host, except those
+    services explicitly listed (that list can be modified as required
+    by the local admin). This zone is intended to be used only by
+    libvirt virtual networks - libvirt will add the bridge devices for
+    all new virtual networks to this zone by default.
+  </description>
+
+<rule priority='32767'>
+  <reject/>
+</rule>
+<service name='dhcp'/>
+<service name='dhcpv6'/>
+<service name='dns'/>
+<service name='ssh'/>
+<service name='tftp'/>
+</zone>