Missing iptables rule on undercloud for port 80 & 443

Issue

Horizon iptable rule are missing in undercloud for rhosp release 13.0.11 , same rule is available when we do the installation of 13.0.10

[stack@undercloud-0 ~]$ cat /etc/rhosp-release 
Red Hat OpenStack Platform release 13.0.11 (Queens)

Rule#126 is missing which is for port 80 & 443

[stack@undercloud-0 ~]$ sudo iptables -nvL |egrep '80|443'
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 6789,6800:6810 state NEW /* 110 ceph ipv4 */
  168 10080 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 6080,13080,8773,13773,8774,13774,8778,13778,8775,13775 state NEW /* 113 nova ipv4 */
 127K 7601K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 8080,13808 state NEW /* 122 swift proxy ipv4 */
  115  6900 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 8000,13800,8003,13003,8004,13004 state NEW /* 125 heat ipv4 */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 8042,13042 state NEW /* 128 aodh ipv4 */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 8041,13041 state NEW /* 129 gnocchi-api ipv4 */
   10   640 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 8088 state NEW /* 139 apache vhost ipv4 */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 3000,443 state NEW /* 142 tripleo-ui ipv4 */
   20  6880 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 68 state NEW /* 116 neutron dhcp output ipv4 *

[stack@undercloud-0 ~]$ sudo iptables -nvL |grep horizon
<no output>

Rule#126 is defined horizon.yaml though puppet is not applying these changes

[stack@undercloud-0 ~]$ cat /usr/share/openstack-tripleo-heat-templates/puppet/services/horizon.yaml | grep -iA7 firewall
          tripleo.horizon.firewall_rules:
            '126 horizon':
              dport:
                - 80
                - 443

[stack@undercloud-0 ~]$ sudo cat /etc/sysconfig/iptables.save | grep -iA2 125
-A INPUT -p tcp -m multiport --dports 8000,13800,8003,13003,8004,13004 -m state --state NEW -m comment --comment "125 heat ipv4" -j ACCEPT
-A INPUT -p udp -m multiport --dports 161 -m state --state NEW -m comment --comment "127 snmp ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8042,13042 -m state --state NEW -m comment --comment "128 aodh ipv4" -j ACCEPT

Same rules are available rhsop13.0.10.

• undercloud installation log(s)

cat undercloud_install.log | grep -i firewall | grep -iA4 125
2020-03-03 07:14:53,253 INFO: Notice: /Stage[main]/Tripleo::Firewall/Tripleo::Firewall::Rule[125 heat]/Firewall[125 heat ipv4]/ensure: created
2020-03-03 07:14:53,648 INFO: Notice: /Stage[main]/Tripleo::Firewall/Tripleo::Firewall::Rule[125 heat]/Firewall[125 heat ipv6]/ensure: created
2020-03-03 07:14:54,079 INFO: Notice: /Stage[main]/Tripleo::Firewall/Tripleo::Firewall::Rule[126 horizon]/Firewall[126 horizon ipv4]/ensure: created
2020-03-03 07:14:54,768 INFO: Notice: /Stage[main]/Tripleo::Firewall/Tripleo::Firewall::Rule[126 horizon]/Firewall[126 horizon ipv6]/ensure: created
2020-03-03 07:14:55,418 INFO: Notice: /Stage[main]/Tripleo::Firewall/Tripleo::Firewall::Rule[127 snmp]/Firewall[127 snmp ipv4]/ensure: created
2020-03-03 07:14:55,820 INFO: Notice: /Stage[main]/Tripleo::Firewall/Tripleo::Firewall::Rule[127 snmp]/Firewall[127 snmp ipv6]/ensure: created

[stack@undercloud ~]$ sudo iptables -nvL |egrep '80|443'
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 6789,6800:6810 state NEW /* 110 ceph ipv4 */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 6080,13080,8773,13773,8774,13774,8778,13778,8775,13775 state NEW /* 113 nova ipv4 */
 371K   22M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 8080,13808 state NEW /* 122 swift proxy ipv4 */
  341 20460 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 8000,13800,8003,13003,8004,13004 state NEW /* 125 heat ipv4 */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443 state NEW /* 126 horizon ipv4 */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 8042,13042 state NEW /* 128 aodh ipv4 */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 8041,13041 state NEW /* 129 gnocchi-api ipv4 */
    8   480 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 6385,13385 state NEW /* 135 ironic ipv4 */
   26  1664 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 8088 state NEW /* 139 apache vhost ipv4 */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 3000,443 state NEW /* 142 tripleo-ui ipv4 */
Chain FORWARD (policy ACCEPT 204 packets, 18057 bytes)
  204 18057 DOCKER-ISOLATION  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  204 18057 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

[stack@undercloud ~]$ sudo iptables -nvL | grep "horizon"
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443 state NEW /* 126 horizon ipv4 */