diff --git a/management/server/policy_test.go b/management/server/policy_test.go
index ec0cc1899..6b4b66f15 100644
--- a/management/server/policy_test.go
+++ b/management/server/policy_test.go
@@ -217,9 +217,13 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 						Protocol:      types.PolicyRuleProtocolTCP,
 						Action:        types.PolicyTrafficActionAccept,
 						PortRanges: []types.RulePortRange{
+							{
+								Start: 8088,
+								End:   8088,
+							},
 							{
 								Start: 9090,
-								End:   9092,
+								End:   9095,
 							},
 						},
 						Sources: []string{
@@ -241,13 +245,9 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 
 	t.Run("check that all peers get map", func(t *testing.T) {
 		for _, p := range account.Peers {
-			if p.ID == "peerK" {
-				// skip peerK, it has no connections(old peer with no port range support)
-				continue
-			}
 			peers, firewallRules := account.GetPeerConnectionResources(context.Background(), p, validatedPeers)
-			assert.GreaterOrEqual(t, len(peers), 2, "minimum number peers should present")
-			assert.GreaterOrEqual(t, len(firewallRules), 2, "minimum number of firewall rules should present")
+			assert.GreaterOrEqual(t, len(peers), 1, "minimum number peers should present")
+			assert.GreaterOrEqual(t, len(firewallRules), 1, "minimum number of firewall rules should present")
 		}
 	})
 
@@ -415,7 +415,26 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), account.Peers["peerK"], validatedPeers)
 		assert.Len(t, peers, 1)
 		assert.Contains(t, peers, account.Peers["peerI"])
-		assert.Len(t, firewallRules, 0)
+
+		expectedFirewallRules := []*types.FirewallRule{
+			{
+				PeerIP:    "100.65.31.2",
+				Direction: types.FirewallRuleDirectionIN,
+				Action:    "accept",
+				Protocol:  "tcp",
+				Port:      "8088",
+				PolicyID:  "RuleWorkflow",
+			},
+			{
+				PeerIP:    "100.65.31.2",
+				Direction: types.FirewallRuleDirectionOUT,
+				Action:    "accept",
+				Protocol:  "tcp",
+				Port:      "8088",
+				PolicyID:  "RuleWorkflow",
+			},
+		}
+		assert.ElementsMatch(t, firewallRules, expectedFirewallRules)
 	})
 }
 
diff --git a/management/server/types/account.go b/management/server/types/account.go
index af08f2205..0132ec6e4 100644
--- a/management/server/types/account.go
+++ b/management/server/types/account.go
@@ -38,7 +38,7 @@ const (
 	UnknownCategory = "unknown"
 
 	// firewallRuleMinPortRangesVer defines the minimum peer version that supports port range rules.
-	firewallRuleMinPortRangesVer = "0.35.0"
+	firewallRuleMinPortRangesVer = "0.48.0"
 )
 
 type LookupMap map[string]struct{}
@@ -1598,16 +1598,27 @@ func expandPortsAndRanges(ctx context.Context, base FirewallRule, rule *PolicyRu
 		return expanded
 	}
 
+	var peerSupportsPortRanges bool
+
 	// skip processing the port ranges if the peer version doesn't support it
 	meetMin, err := posture.MeetsMinVersion(firewallRuleMinPortRangesVer, peer.Meta.WtVersion)
-	if err == nil && !meetMin {
-		log.WithContext(ctx).Warnf("peer %s version doesn't support firewall rules port ranges, requires version %s+", peer.ID, firewallRuleMinPortRangesVer)
-		return expanded
+	if err == nil && meetMin {
+		peerSupportsPortRanges = true
 	}
 
 	for _, portRange := range rule.PortRanges {
 		fr := base
-		fr.PortRange = portRange
+
+		if peerSupportsPortRanges {
+			fr.PortRange = portRange
+		} else {
+			// Peer doesn't support port ranges, only allow single-port ranges
+			if portRange.Start != portRange.End {
+				continue
+			}
+			fr.Port = strconv.FormatUint(uint64(portRange.Start), 10)
+		}
+
 		expanded = append(expanded, &fr)
 	}