diff --git a/core/src/com/cloud/agent/api/NetworkRulesSystemVmCommand.java b/core/src/com/cloud/agent/api/NetworkRulesSystemVmCommand.java
new file mode 100644
index 00000000000..9c5618f94a5
--- /dev/null
+++ b/core/src/com/cloud/agent/api/NetworkRulesSystemVmCommand.java
@@ -0,0 +1,41 @@
+/**
+ *  Copyright (C) 2010 Cloud.com, Inc.  All rights reserved.
+ * 
+ * This software is licensed under the GNU General Public License v3 or later.
+ * 
+ * It is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or any later version.
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ * 
+ */
+package com.cloud.agent.api;
+
+public class NetworkRulesSystemVmCommand extends Command {
+    
+    private String vmName;
+    
+    protected NetworkRulesSystemVmCommand() {
+        
+    }
+    
+    public NetworkRulesSystemVmCommand(String vmName) {
+        this.vmName = vmName;
+    }
+    
+    public String getVmName() {
+        return vmName;
+    }
+
+    @Override
+    public boolean executeInSequence() {
+        return false;
+    }
+
+}
diff --git a/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java b/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
index 38a37a5842f..b4d3ae19203 100644
--- a/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
+++ b/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
@@ -96,6 +96,7 @@ import com.cloud.agent.api.ModifyStoragePoolAnswer;
 import com.cloud.agent.api.ModifyStoragePoolCommand;
 import com.cloud.agent.api.NetworkIngressRuleAnswer;
 import com.cloud.agent.api.NetworkIngressRulesCmd;
+import com.cloud.agent.api.NetworkRulesSystemVmCommand;
 import com.cloud.agent.api.PingCommand;
 import com.cloud.agent.api.PingRoutingCommand;
 import com.cloud.agent.api.PingRoutingWithNwGroupsCommand;
@@ -648,6 +649,8 @@ public abstract class CitrixResourceBase implements StoragePoolResource, ServerR
             return execute((ModifySshKeysCommand) cmd);
         } else if (cmd instanceof NetworkIngressRulesCmd) {
             return execute((NetworkIngressRulesCmd) cmd);
+        } else if (cmd instanceof NetworkRulesSystemVmCommand) {
+            return execute((NetworkRulesSystemVmCommand) cmd);
         } else if (cmd instanceof PoolEjectCommand) {
             return execute((PoolEjectCommand) cmd);
         } else {
@@ -6057,6 +6060,23 @@ public abstract class CitrixResourceBase implements StoragePoolResource, ServerR
         }
     }
     
+    private Answer execute(NetworkRulesSystemVmCommand cmd) {
+    	boolean success = false;
+    	if (_canBridgeFirewall) {
+            String result = callHostPlugin("default_network_rules_systemvm", "vmName", cmd.getVmName());
+            if (result == null || result.isEmpty() || !Boolean.parseBoolean(result)) {
+                s_logger.warn("Failed to program default system vm network rules for " + cmd.getVmName());
+                success = false;
+            } else {
+                s_logger.info("Programmed default system vm network rules for " + cmd.getVmName());
+                success = true;
+            }
+        } else {
+        	s_logger.warn("Cannot program ingress rules for system vm -- bridge firewalling not supported on host");
+        }
+    	return new Answer(cmd, success, "");
+    }
+    
     private Answer execute(PoolEjectCommand cmd) {
         Connection conn = getConnection();
         String hostuuid = cmd.getHostuuid();
diff --git a/server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java b/server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
index 0882d4963a2..cef5fec9a16 100644
--- a/server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
+++ b/server/src/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
@@ -50,6 +50,7 @@ import com.cloud.agent.api.ConsoleAccessAuthenticationAnswer;
 import com.cloud.agent.api.ConsoleAccessAuthenticationCommand;
 import com.cloud.agent.api.ConsoleProxyLoadReportCommand;
 import com.cloud.agent.api.MigrateCommand;
+import com.cloud.agent.api.NetworkRulesSystemVmCommand;
 import com.cloud.agent.api.PrepareForMigrationCommand;
 import com.cloud.agent.api.RebootCommand;
 import com.cloud.agent.api.StartConsoleProxyAnswer;
@@ -2465,15 +2466,16 @@ public class ConsoleProxyManagerImpl implements ConsoleProxyManager,
 
 		CheckVirtualMachineCommand cvm = new CheckVirtualMachineCommand(proxy
 				.getInstanceName());
-		CheckVirtualMachineAnswer answer = (CheckVirtualMachineAnswer) _agentMgr
-				.send(host.getId(), cvm);
-		if (!answer.getResult()) {
+		NetworkRulesSystemVmCommand nrsvm = new NetworkRulesSystemVmCommand(proxy.getInstanceName());
+		Answer [] answers =  _agentMgr.send(host.getId(), new Command[]{cvm, nrsvm}, true);
+		CheckVirtualMachineAnswer checkAnswer = (CheckVirtualMachineAnswer)answers[0];
+		if (!checkAnswer.getResult()) {
 			s_logger.debug("Unable to complete migration for " + proxy.getId());
 			_consoleProxyDao.updateIf(proxy, Event.AgentReportStopped, null);
 			return false;
 		}
 
-		State state = answer.getState();
+		State state = checkAnswer.getState();
 		if (state == State.Stopped) {
 			s_logger.warn("Unable to complete migration as we can not detect it on " + host.getId());
 			_consoleProxyDao.updateIf(proxy, Event.AgentReportStopped, null);
@@ -2481,6 +2483,12 @@ public class ConsoleProxyManagerImpl implements ConsoleProxyManager,
 		}
 
 		_consoleProxyDao.updateIf(proxy, Event.OperationSucceeded, host.getId());
+		
+		if (! answers[1].getResult()) {
+			s_logger.warn("Migration complete: Failed to program default network rules for system vm " + proxy.getInstanceName());
+		} else {
+			s_logger.info("Migration complete: Programmed default network rules for system vm " + proxy.getInstanceName());
+		}
 		return true;
 	}
 
diff --git a/server/src/com/cloud/network/NetworkManagerImpl.java b/server/src/com/cloud/network/NetworkManagerImpl.java
index 19f106b97ef..7cbac7738a6 100644
--- a/server/src/com/cloud/network/NetworkManagerImpl.java
+++ b/server/src/com/cloud/network/NetworkManagerImpl.java
@@ -40,6 +40,7 @@ import com.cloud.agent.api.CreateZoneVlanAnswer;
 import com.cloud.agent.api.CreateZoneVlanCommand;
 import com.cloud.agent.api.MigrateCommand;
 import com.cloud.agent.api.ModifySshKeysCommand;
+import com.cloud.agent.api.NetworkRulesSystemVmCommand;
 import com.cloud.agent.api.PrepareForMigrationCommand;
 import com.cloud.agent.api.RebootAnswer;
 import com.cloud.agent.api.RebootRouterCommand;
@@ -2244,14 +2245,16 @@ public class NetworkManagerImpl implements NetworkManager, VirtualMachineManager
     @Override
     public boolean completeMigration(final DomainRouterVO router, final HostVO host) throws OperationTimedoutException, AgentUnavailableException {
         final CheckVirtualMachineCommand cvm = new CheckVirtualMachineCommand(router.getInstanceName());
-        final CheckVirtualMachineAnswer answer = (CheckVirtualMachineAnswer)_agentMgr.send(host.getId(), cvm);
-        if (answer == null || !answer.getResult()) {
+        final NetworkRulesSystemVmCommand nrsvm = new NetworkRulesSystemVmCommand(router.getInstanceName());
+		final Answer [] answers =  _agentMgr.send(host.getId(), new Command[]{cvm, nrsvm}, true);
+		final CheckVirtualMachineAnswer checkAnswer = (CheckVirtualMachineAnswer)answers[0];
+        if (checkAnswer == null || !checkAnswer.getResult()) {
             s_logger.debug("Unable to complete migration for " + router.getId());
             _routerDao.updateIf(router, Event.AgentReportStopped, null);
             return false;
         }
 
-        final State state = answer.getState();
+        final State state = checkAnswer.getState();
         if (state == State.Stopped) {
             s_logger.warn("Unable to complete migration as we can not detect it on " + host.getId());
             _routerDao.updateIf(router, Event.AgentReportStopped, null);
@@ -2259,7 +2262,12 @@ public class NetworkManagerImpl implements NetworkManager, VirtualMachineManager
         }
 
         _routerDao.updateIf(router, Event.OperationSucceeded, host.getId());
-
+        
+        if (! answers[1].getResult()) {
+			s_logger.warn("Migration complete: Failed to program default network rules for system vm " + router.getInstanceName());
+		} else {
+			s_logger.info("Migration complete: Programmed default network rules for system vm " + router.getInstanceName());
+		}
         return true;
     }
 
diff --git a/server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java b/server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java
index af19740419d..3ec1fdf933c 100644
--- a/server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java
+++ b/server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java
@@ -40,6 +40,7 @@ import com.cloud.agent.api.CheckVirtualMachineAnswer;
 import com.cloud.agent.api.CheckVirtualMachineCommand;
 import com.cloud.agent.api.Command;
 import com.cloud.agent.api.MigrateCommand;
+import com.cloud.agent.api.NetworkRulesSystemVmCommand;
 import com.cloud.agent.api.PrepareForMigrationCommand;
 import com.cloud.agent.api.RebootCommand;
 import com.cloud.agent.api.SecStorageFirewallCfgCommand;
@@ -1748,14 +1749,16 @@ public class SecondaryStorageManagerImpl implements SecondaryStorageVmManager, V
 	public boolean completeMigration(SecondaryStorageVmVO secStorageVm, HostVO host)
 			throws AgentUnavailableException, OperationTimedoutException {
 		CheckVirtualMachineCommand cvm = new CheckVirtualMachineCommand(secStorageVm.getInstanceName());
-		CheckVirtualMachineAnswer answer = (CheckVirtualMachineAnswer) _agentMgr.send(host.getId(), cvm);
-		if (!answer.getResult()) {
+		NetworkRulesSystemVmCommand nrsvm = new NetworkRulesSystemVmCommand(secStorageVm.getInstanceName());
+		Answer [] answers =  _agentMgr.send(host.getId(), new Command[]{cvm, nrsvm}, true);
+		CheckVirtualMachineAnswer checkAnswer = (CheckVirtualMachineAnswer)answers[0];
+		if (!checkAnswer.getResult()) {
 			s_logger.debug("Unable to complete migration for " + secStorageVm.getId());
 			_secStorageVmDao.updateIf(secStorageVm, Event.AgentReportStopped, null);
 			return false;
 		}
 
-		State state = answer.getState();
+		State state = checkAnswer.getState();
 		if (state == State.Stopped) {
 			s_logger.warn("Unable to complete migration as we can not detect it on " + host.getId());
 			_secStorageVmDao.updateIf(secStorageVm, Event.AgentReportStopped, null);
@@ -1763,6 +1766,11 @@ public class SecondaryStorageManagerImpl implements SecondaryStorageVmManager, V
 		}
 
 		_secStorageVmDao.updateIf(secStorageVm, Event.OperationSucceeded, host.getId());
+		if (! answers[1].getResult()) {
+			s_logger.warn("Migration complete: Failed to program default network rules for system vm " + secStorageVm.getInstanceName());
+		} else {
+			s_logger.info("Migration complete: Programmed default network rules for system vm " + secStorageVm.getInstanceName());
+		}
 		return true;
 	}