diff --git a/REFERENCE.md b/REFERENCE.md
index a350538bd..3d7c4a883 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -995,8 +995,7 @@ Data type: `Optional[Variant[Integer[0,7],String[1]]]`
 
       When combined with jump => "LOG" specifies the system log level to log to.
 
-      Note: log level 4/warn is the default setting and as such it is not returned by iptables-save.
-      As a result, explicitly setting `log_level` to this can result in idempotency errors.
+      Note: log level 4/warn is the default setting.
 
 ##### `log_prefix`
 
diff --git a/lib/puppet/provider/firewall/firewall.rb b/lib/puppet/provider/firewall/firewall.rb
index dc41b3eb7..a2653356e 100644
--- a/lib/puppet/provider/firewall/firewall.rb
+++ b/lib/puppet/provider/firewall/firewall.rb
@@ -189,6 +189,11 @@ class Puppet::Provider::Firewall::Firewall
     :time_contiguous, :kernel_timezone, :clusterip_new, :queue_bypass, :ipvs, :notrack
   ]
 
+  # These are known resources that is omitted from the output of iptables-save if default value is set.
+  $known_omitted_defaults = [
+    :log_level
+  ]
+
   # Properties that use "-m <ipt module name>" (with the potential to have multiple
   # arguments against the same IPT module) must be in this hash. The keys in this
   # hash are the IPT module names, with the values being an array of the respective
@@ -326,7 +331,7 @@ def insync?(context, _name, property_name, is_hash, should_hash)
     context.debug("Checking whether '#{property_name}' is out of sync")
 
     # If either value is nil, no custom logic is required
-    return nil if is_hash[property_name].nil? || should_hash[property_name].nil?
+    return nil if (is_hash[property_name].nil? || should_hash[property_name].nil?) && !$known_omitted_defaults.include?(property_name)
 
     case property_name
     when :protocol
diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index 066db2f05..a794f629c 100644
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -1230,8 +1230,7 @@
       desc: <<-DESC
       When combined with jump => "LOG" specifies the system log level to log to.
 
-      Note: log level 4/warn is the default setting and as such it is not returned by iptables-save.
-      As a result, explicitly setting `log_level` to this can result in idempotency errors.
+      Note: log level 4/warn is the default setting.
       DESC
     },
     log_uid: {
diff --git a/lib/puppet_x/puppetlabs/firewall/utility.rb b/lib/puppet_x/puppetlabs/firewall/utility.rb
index 56e03f727..faa310733 100644
--- a/lib/puppet_x/puppetlabs/firewall/utility.rb
+++ b/lib/puppet_x/puppetlabs/firewall/utility.rb
@@ -197,6 +197,7 @@ def self.log_level_name_to_number(value)
         when 'not', 'notice' then '5'
         when 'info' then '6'
         when 'debug' then '7'
+        when nil then '4'
         else nil
         end
       end