diff --git a/client/internal/acl/manager.go b/client/internal/acl/manager.go
index e810d4179..d2947f497 100644
--- a/client/internal/acl/manager.go
+++ b/client/internal/acl/manager.go
@@ -268,7 +268,7 @@ func (d *DefaultManager) protoRuleToFirewallRule(
 	}
 
 	var port *firewall.Port
-	if r.PortInfo != nil {
+	if !portInfoEmpty(r.PortInfo) {
 		port = convertPortInfo(r.PortInfo)
 	} else if r.Port != "" {
 		// old version of management, single port
@@ -305,6 +305,22 @@ func (d *DefaultManager) protoRuleToFirewallRule(
 	return ruleID, rules, nil
 }
 
+func portInfoEmpty(portInfo *mgmProto.PortInfo) bool {
+	if portInfo == nil {
+		return true
+	}
+
+	switch portInfo.GetPortSelection().(type) {
+	case *mgmProto.PortInfo_Port:
+		return portInfo.GetPort() == 0
+	case *mgmProto.PortInfo_Range_:
+		r := portInfo.GetRange()
+		return r == nil || r.Start == 0 || r.End == 0
+	default:
+		return true
+	}
+}
+
 func (d *DefaultManager) addInRules(
 	ip net.IP,
 	protocol firewall.Protocol,