diff --git a/api/src/com/cloud/api/commands/DeleteSecurityGroupCmd.java b/api/src/com/cloud/api/commands/DeleteSecurityGroupCmd.java
index 515cabd1b11..2eb7e092a7b 100644
--- a/api/src/com/cloud/api/commands/DeleteSecurityGroupCmd.java
+++ b/api/src/com/cloud/api/commands/DeleteSecurityGroupCmd.java
@@ -7,7 +7,6 @@ import com.cloud.api.BaseCmd;
 import com.cloud.api.Implementation;
 import com.cloud.api.Parameter;
 import com.cloud.api.ServerApiException;
-import com.cloud.api.BaseCmd.CommandType;
 import com.cloud.api.response.SuccessResponse;
 import com.cloud.exception.ResourceInUseException;
 
diff --git a/server/src/com/cloud/network/NetworkManager.java b/server/src/com/cloud/network/NetworkManager.java
index d4ba5289853..7130a4f918b 100644
--- a/server/src/com/cloud/network/NetworkManager.java
+++ b/server/src/com/cloud/network/NetworkManager.java
@@ -170,5 +170,7 @@ public interface NetworkManager extends NetworkService {
     boolean zoneIsConfiguredForExternalNetworking(long zoneId);
     
     void unassignPublicIpAddress(IPAddressVO addr);
+    
+    Map<Capability, String> getServiceCapability(long zoneId, Service service);
 
 }
diff --git a/server/src/com/cloud/network/NetworkManagerImpl.java b/server/src/com/cloud/network/NetworkManagerImpl.java
index 2e96ba0fd5f..e086305900c 100755
--- a/server/src/com/cloud/network/NetworkManagerImpl.java
+++ b/server/src/com/cloud/network/NetworkManagerImpl.java
@@ -1975,6 +1975,12 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag
         }
         return networkCapabilities;
     }
+    
+    @Override
+    public Map<Capability, String> getServiceCapability(long zoneId, Service service) {
+        Map<Service, Map<Capability, String>> networkCapabilities = getZoneCapabilities(zoneId);
+        return networkCapabilities.get(service);
+    }
 
     @Override
     public Network getSystemNetworkByZoneAndTrafficType(long zoneId, TrafficType trafficType) {
diff --git a/server/src/com/cloud/network/rules/FirewallRuleVO.java b/server/src/com/cloud/network/rules/FirewallRuleVO.java
index bd54de5a3ab..ef8cc1fbde7 100644
--- a/server/src/com/cloud/network/rules/FirewallRuleVO.java
+++ b/server/src/com/cloud/network/rules/FirewallRuleVO.java
@@ -34,6 +34,7 @@ import javax.persistence.InheritanceType;
 import javax.persistence.Table;
 
 import com.cloud.utils.db.GenericDao;
+import com.cloud.utils.net.NetUtils;
 
 @Entity
 @Table(name="firewall_rules")
@@ -65,7 +66,7 @@ public class FirewallRuleVO implements FirewallRule {
     int sourcePortEnd;
     
     @Column(name="protocol", updatable=false)
-    String protocol = "TCP";
+    String protocol = NetUtils.TCP_PROTO;
     
     @Enumerated(value=EnumType.STRING)
     @Column(name="purpose")
diff --git a/server/src/com/cloud/network/rules/RulesManagerImpl.java b/server/src/com/cloud/network/rules/RulesManagerImpl.java
index 5fc614f1de1..50b86e187dc 100644
--- a/server/src/com/cloud/network/rules/RulesManagerImpl.java
+++ b/server/src/com/cloud/network/rules/RulesManagerImpl.java
@@ -39,7 +39,9 @@ import com.cloud.exception.ResourceUnavailableException;
 import com.cloud.network.IPAddressVO;
 import com.cloud.network.IpAddress;
 import com.cloud.network.Network;
+import com.cloud.network.Network.Capability;
 import com.cloud.network.Network.GuestIpType;
+import com.cloud.network.Network.Service;
 import com.cloud.network.NetworkManager;
 import com.cloud.network.dao.FirewallRulesDao;
 import com.cloud.network.dao.IPAddressDao;
@@ -227,6 +229,14 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager {
             throw new NetworkRuleConflictException("Can't do one to one NAT on ip address: " + ipAddress.getAddress());
         }
         
+    
+        //Verify that the network guru supports the protocol specified
+        Map<Network.Capability, String> firewallCapability = _networkMgr.getServiceCapability(network.getDataCenterId(), Service.Firewall);
+        String supportedProtocols = firewallCapability.get(Capability.SupportedProtocols).toLowerCase();
+        if (!supportedProtocols.contains(rule.getProtocol().toLowerCase())) {
+            throw new InvalidParameterValueException("Protocol " + rule.getProtocol() + " is not supported in zone " + network.getDataCenterId());
+        }
+        
         PortForwardingRuleVO newRule = 
             new PortForwardingRuleVO(rule.getXid(), 
                     rule.getSourceIpAddressId(), 
diff --git a/utils/src/com/cloud/utils/net/NetUtils.java b/utils/src/com/cloud/utils/net/NetUtils.java
index 6add64dd7e8..eca437daabc 100755
--- a/utils/src/com/cloud/utils/net/NetUtils.java
+++ b/utils/src/com/cloud/utils/net/NetUtils.java
@@ -51,6 +51,7 @@ public class NetUtils {
     
     public final static String UDP_PROTO = "udp";
     public final static String TCP_PROTO = "tcp";
+    public final static String ANY_PROTO = "any";
     public final static String ICMP_PROTO = "icmp";
     
     private final static Random _rand = new Random(System.currentTimeMillis());