diff --git a/pkg/firewalls/firewalls.go b/pkg/firewalls/firewalls.go
index 4b5a2aba1f..7e259909cc 100644
--- a/pkg/firewalls/firewalls.go
+++ b/pkg/firewalls/firewalls.go
@@ -33,7 +33,8 @@ import (
 const (
 	// DefaultFirewallName is the name to use for firewall rules created
 	// by an L7 controller when --firewall-rule is not used.
-	DefaultFirewallName = ""
+	DefaultFirewallName        = ""
+	DefaultFirewallDescription = "GCE L7 firewall rule"
 )
 
 // FirewallRules manages firewall rules.
@@ -119,7 +120,7 @@ func (fr *FirewallRules) buildExpectedFW(nodeNames, additionalPorts, additionalR
 
 	expectedFirewall := &compute.Firewall{
 		Name:         name,
-		Description:  "GCE L7 firewall rule",
+		Description:  DefaultFirewallDescription,
 		SourceRanges: ranges.UnsortedList(),
 		Network:      fr.cloud.NetworkURL(),
 		Allowed: []*compute.FirewallAllowed{
diff --git a/pkg/firewalls/firewalls_l7_cr.go b/pkg/firewalls/firewalls_l7_cr.go
index 09f20fdf12..1e05bfab81 100644
--- a/pkg/firewalls/firewalls_l7_cr.go
+++ b/pkg/firewalls/firewalls_l7_cr.go
@@ -137,6 +137,7 @@ func NewFirewallCR(name string, ports, srcRanges, dstRanges []string, enforced b
 		ObjectMeta: metav1.ObjectMeta{
 			Name: name,
 		},
+		Description: DefaultFirewallDescription,
 		Spec: gcpfirewallv1.GCPFirewallSpec{
 			Action:   gcpfirewallv1.ActionAllow,
 			Disabled: !enforced,