diff --git a/src/devices/nm-device.c b/src/devices/nm-device.c
index 2c60b69dd4..c86ece86ee 100644
--- a/src/devices/nm-device.c
+++ b/src/devices/nm-device.c
@@ -4590,6 +4590,14 @@ nm_device_activate_schedule_stage3_ip_config_start (NMDevice *self)
 	s_con = nm_connection_get_setting_connection (connection);
 
 	zone = nm_setting_connection_get_zone (s_con);
+
+	if (nm_device_uses_assumed_connection (self)) {
+		_LOGD (LOGD_DEVICE, "Activation: skip setting firewall zone '%s' for assumed device", zone ? zone : "default");
+		activation_source_schedule (self, nm_device_activate_stage3_ip_config_start, 0);
+		_LOGI (LOGD_DEVICE, "Activation: Stage 3 of 5 (IP Configure Start) scheduled.");
+		return;
+	}
+
 	_LOGD (LOGD_DEVICE, "Activation: setting firewall zone '%s'", zone ? zone : "default");
 	priv->fw_call = nm_firewall_manager_add_or_change_zone (nm_firewall_manager_get (),
 	                                                        nm_device_get_ip_iface (self),
@@ -6887,7 +6895,9 @@ _cleanup_generic_pre (NMDevice *self, gboolean deconfigure)
 	}
 
 	connection = nm_device_get_connection (self);
-	if (deconfigure && connection) {
+	if (   deconfigure
+	    && connection
+	    && !nm_device_uses_assumed_connection (self)) {
 		nm_firewall_manager_remove_from_zone (nm_firewall_manager_get (),
 		                                      nm_device_get_ip_iface (self),
 		                                      NULL);
diff --git a/src/nm-policy.c b/src/nm-policy.c
index 0a8f54e370..87fcdcc925 100644
--- a/src/nm-policy.c
+++ b/src/nm-policy.c
@@ -1576,7 +1576,8 @@ firewall_update_zone (NMPolicy *policy, NMConnection *connection)
 		NMDevice *dev = NM_DEVICE (iter->data);
 
 		if (   (nm_device_get_connection (dev) == connection)
-		    && (nm_device_get_state (dev) == NM_DEVICE_STATE_ACTIVATED)) {
+		    && (nm_device_get_state (dev) == NM_DEVICE_STATE_ACTIVATED)
+		    && !nm_device_uses_assumed_connection (dev)) {
 			nm_firewall_manager_add_or_change_zone (nm_firewall_manager_get (),
 			                                        nm_device_get_ip_iface (dev),
 			                                        nm_setting_connection_get_zone (s_con),
@@ -1606,7 +1607,8 @@ firewall_started (NMFirewallManager *manager,
 			continue;
 
 		s_con = nm_connection_get_setting_connection (connection);
-		if (nm_device_get_state (dev) == NM_DEVICE_STATE_ACTIVATED) {
+		if (    nm_device_get_state (dev) == NM_DEVICE_STATE_ACTIVATED
+		    && !nm_device_uses_assumed_connection (dev)) {
 			nm_firewall_manager_add_or_change_zone (nm_firewall_manager_get (),
 			                                        nm_device_get_ip_iface (dev),
 			                                        nm_setting_connection_get_zone (s_con),