diff --git a/plinth/modules/firewall/__init__.py b/plinth/modules/firewall/__init__.py
index 1b0340501..46a0b3f8b 100644
--- a/plinth/modules/firewall/__init__.py
+++ b/plinth/modules/firewall/__init__.py
@@ -4,6 +4,7 @@
 import contextlib
 import logging
 
+from django.utils.translation import gettext
 from django.utils.translation import gettext_lazy as _
 
 from plinth import app as app_module
@@ -94,6 +95,12 @@ class FirewallApp(app_module.App):
         _run_setup()
         return True
 
+    def diagnose(self):
+        """Run diagnostics and return the results."""
+        results = super().diagnose()
+        results.append(_diagnose_default_zone())
+        return results
+
 
 def _run_setup():
     """Run firewalld setup."""
@@ -252,3 +259,11 @@ def remove_passthrough(ipv, *args):
     config_direct = _get_dbus_proxy(_CONFIG_OBJECT, _CONFIG_DIRECT_INTERFACE)
     if config_direct.queryPassthrough('(sas)', ipv, args):
         config_direct.removePassthrough('(sas)', ipv, args)
+
+
+def _diagnose_default_zone():
+    """Diagnose whether the default zone is external."""
+    default_zone = privileged.get_default_zone()
+    testname = gettext('Default zone is external')
+    result = 'passed' if default_zone == 'external' else 'failed'
+    return [testname, result]
diff --git a/plinth/modules/firewall/privileged.py b/plinth/modules/firewall/privileged.py
index 6bf4d9ebd..398f68464 100644
--- a/plinth/modules/firewall/privileged.py
+++ b/plinth/modules/firewall/privileged.py
@@ -129,3 +129,10 @@ def setup():
     set_firewall_backend('nftables')
 
     _setup_local_service_protection()
+
+
+@privileged
+def get_default_zone():
+    """Return the firewalld default zone."""
+    output = subprocess.check_output(['firewall-cmd', '--get-default-zone'])
+    return output.decode().strip()