I have to check if it is a combination of changes that are not done correctly (maybe just some order should be applied) by the API or if it is NM who prevent from doing the changes. Thus, I will check if it is NM specific or also happens with wicked. The scenario seems to be: Before do the zone changes: Network backend: NetworkManager Firewalld state: running Default zone: public Interface: ens4 (no explicit zone) Changes applied through the UI: Default zone: trusted Interface: ens4 (public zone) As a first impression before a deep analysis and debugging it, seems that NM does not apply the change in running because the interface was already in public zone (not explicitly but because it was the default zone).