diff --git a/agent/src/com/cloud/agent/resource/computing/LibvirtComputingResource.java b/agent/src/com/cloud/agent/resource/computing/LibvirtComputingResource.java
index dc33059f32d..7938b70502c 100644
--- a/agent/src/com/cloud/agent/resource/computing/LibvirtComputingResource.java
+++ b/agent/src/com/cloud/agent/resource/computing/LibvirtComputingResource.java
@@ -1638,6 +1638,7 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
 				_vms.put(vmName, state);
 			}
 		} else {
+		    destroy_network_rules_for_vm(vmName);
 			cleanupVM(conn, vmName, getVnetId(VirtualMachineName.getVnet(vmName)));
 		}
 
@@ -3291,10 +3292,9 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
     
     private Answer execute(NetworkRulesSystemVmCommand cmd) {
         boolean success = false;
-        if (cmd.getType() != VirtualMachine.Type.User) {
-            success = default_network_rules_for_systemvm(cmd.getVmName());
-        }
-        
+
+        success = default_network_rules_for_systemvm(cmd.getVmName());
+      
         return new Answer(cmd, success, "");
     }
 }
diff --git a/core/src/com/cloud/agent/api/NetworkRulesSystemVmCommand.java b/core/src/com/cloud/agent/api/NetworkRulesSystemVmCommand.java
index 79539051334..ad88934dda2 100644
--- a/core/src/com/cloud/agent/api/NetworkRulesSystemVmCommand.java
+++ b/core/src/com/cloud/agent/api/NetworkRulesSystemVmCommand.java
@@ -22,9 +22,6 @@ public class NetworkRulesSystemVmCommand extends Command {
      */
     
      private String vmName;
-     private long vmId;
-     private String pubIp;
-     private String mac;
      private VirtualMachine.Type type;
     
      protected NetworkRulesSystemVmCommand() {
@@ -33,32 +30,14 @@ public class NetworkRulesSystemVmCommand extends Command {
     
      public NetworkRulesSystemVmCommand(String vmName, VirtualMachine.Type type) {
          this.vmName = vmName;
-     }
-     
-     public NetworkRulesSystemVmCommand(String vmName, long vmId, String publicIP, String mac, VirtualMachine.Type type) {
-         this.vmName = vmName;
-         this.vmId = vmId;
-         this.pubIp = publicIP;
-         this.mac = mac;
          this.type = type;
      }
+     
     
      public String getVmName() {
          return vmName;
      }
      
-     public long getVmId() {
-         return vmId;
-     }
-     
-     public String getIp() {
-         return pubIp;
-     }
-    
-     public String getMac() {
-         return mac;
-     }
-     
      public VirtualMachine.Type getType() {
          return type;
      }
diff --git a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
index 3bfbb7bda0c..6dea81da470 100644
--- a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
+++ b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
@@ -302,6 +302,8 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG
 	}
 
 	protected void handleVmStarted(VMInstanceVO vm) {
+	    if (vm.getType() != VirtualMachine.Type.User || !_enabled)
+	        return;
 		Set<Long> affectedVms = getAffectedVmsForVmStart(vm);
 		scheduleRulesetUpdateToHosts(affectedVms, true, null);
 	}
@@ -413,11 +415,15 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG
 	}
 	
 	protected void handleVmStopped(VMInstanceVO vm) {
+	    if (vm.getType() != VirtualMachine.Type.User || !_enabled)
+            return;
 		Set<Long> affectedVms = getAffectedVmsForVmStop(vm);
 		scheduleRulesetUpdateToHosts(affectedVms, true, null);
 	}
 	
 	protected void handleVmMigrated(VMInstanceVO vm) {
+	    if (vm.getType() == VirtualMachine.Type.User )
+            return;
 	    NetworkRulesSystemVmCommand nrc = new NetworkRulesSystemVmCommand(vm.getInstanceName(), vm.getType());
 	    Commands cmds = new Commands(nrc);
 	    try {
@@ -828,6 +834,9 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG
 	@Override
 	public boolean configure(String name, Map<String, Object> params)
 			throws ConfigurationException {
+	    /*register state listener, no matter security group is enabled or not*/
+	    VirtualMachine.State.getStateMachine().registerListener(this);
+	    
 		String enabled =_configDao.getValue("direct.attach.security.groups.enabled");
 		if ("true".equalsIgnoreCase(enabled)) {
 			_enabled = true;
@@ -841,8 +850,7 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG
         _serverId = ((ManagementServer)ComponentLocator.getComponent(ManagementServer.Name)).getId();
         _executorPool = Executors.newScheduledThreadPool(10, new NamedThreadFactory("NWGRP"));
         _cleanupExecutor = Executors.newScheduledThreadPool(1, new NamedThreadFactory("NWGRP-Cleanup"));
-
-        VirtualMachine.State.getStateMachine().registerListener(this);
+        
  		return true;
 	}
 
@@ -1309,7 +1317,7 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG
 
     @Override
     public boolean postStateTransitionEvent(State oldState, Event event, State newState, VirtualMachine vm, boolean status) {
-        if (!_enabled || !status || vm.getType() != VirtualMachine.Type.User) {
+        if (!status) {
             return false;
         }