diff --git a/maxscale-system-test/CMakeLists.txt b/maxscale-system-test/CMakeLists.txt
index 5febb2c2e..278002ce1 100644
--- a/maxscale-system-test/CMakeLists.txt
+++ b/maxscale-system-test/CMakeLists.txt
@@ -535,6 +535,8 @@ add_test_script(masking_mysqltest masking_mysqltest_driver.sh masking_mysqltest
 
 add_test_script(masking_user masking_user.sh masking_mysqltest LABELS maskingfilter REPL_BACKEND)
 
+add_test_executable(masking_auto_firewall.cpp masking_auto_firewall masking_auto_firewall LABELS masking REPL_BACKEND)
+
 # Test of Cache filter - basics
 add_test_script(cache_basic cache_basic.sh cache_basic LABELS cachefilter REPL_BACKEND)
 
diff --git a/maxscale-system-test/cnf/maxscale.cnf.template.masking_auto_firewall b/maxscale-system-test/cnf/maxscale.cnf.template.masking_auto_firewall
new file mode 100644
index 000000000..081d14cfe
--- /dev/null
+++ b/maxscale-system-test/cnf/maxscale.cnf.template.masking_auto_firewall
@@ -0,0 +1,49 @@
+[maxscale]
+threads=###threads###
+maxlog=1
+log_info=1
+
+[server1]
+type=server
+address=###node_server_IP_1###
+port=###node_server_port_1###
+protocol=MySQLBackend
+
+[TheMonitor]
+type=monitor
+module=mysqlmon
+servers=server1
+user=maxskysql
+password=skysql
+monitor_interval=1000
+
+[Masking]
+type=filter
+module=masking
+rules=/home/vagrant/masking_auto_firewall.json
+warn_type_mismatch=always
+large_payload=ignore
+
+[RWS]
+type=service
+router=readwritesplit
+servers=server1
+user=maxskysql
+password=skysql
+filters=Masking
+
+[RWS-Listener]
+type=listener
+service=RWS
+protocol=MySQLClient
+port=4006
+
+[CLI]
+type=service
+router=cli
+
+[CLI-Listener]
+type=listener
+service=CLI
+protocol=maxscaled
+socket=default
diff --git a/maxscale-system-test/masking_auto_firewall.cpp b/maxscale-system-test/masking_auto_firewall.cpp
new file mode 100644
index 000000000..b5c83ff0d
--- /dev/null
+++ b/maxscale-system-test/masking_auto_firewall.cpp
@@ -0,0 +1,91 @@
+/*
+ * Copyright (c) 2016 MariaDB Corporation Ab
+ *
+ * Use of this software is governed by the Business Source License included
+ * in the LICENSE.TXT file and at www.mariadb.com/bsl11.
+ *
+ * Change Date: 2022-01-01
+ *
+ * On the date above, in accordance with the Business Source License, use
+ * of this software will be governed by version 2 or later of the General
+ * Public License.
+ */
+
+#include <iostream>
+#include "testconnections.h"
+
+using namespace std;
+
+namespace
+{
+
+void init(TestConnections& test)
+{
+    MYSQL* pMysql = test.maxscales->conn_rwsplit[0];
+
+    test.try_query(pMysql, "DROP TABLE IF EXISTS masking_auto_firewall");
+    test.try_query(pMysql, "CREATE TABLE masking_auto_firewall (a TEXT, b TEXT)");
+    test.try_query(pMysql, "INSERT INTO masking_auto_firewall VALUES ('hello', 'world')");
+}
+
+void run(TestConnections& test)
+{
+    init(test);
+
+    MYSQL* pMysql = test.maxscales->conn_rwsplit[0];
+
+    int rv;
+
+    // This should go through, a is simply masked.
+    static const char* zMasked_query = "SELECT a, b FROM masking_auto_firewall";
+    test.tprintf("Executing '%s', SHOULD succeed.", zMasked_query);
+    rv = execute_query(pMysql, "%s", zMasked_query);
+    test.add_result(rv, "Could NOT execute query '%s'.", zMasked_query);
+
+    // This should NOT go through as a function is used with a masked column.
+    static const char* zRejected_query = "SELECT LENGTH(a), b FROM masking_auto_firewall";
+    test.tprintf("Executing '%s', should NOT succeed.", zRejected_query);
+    rv = execute_query_silent(pMysql , zRejected_query);
+    test.add_result(rv == 0, "COULD execute query '%s'.", zRejected_query);
+}
+
+}
+
+int main(int argc, char* argv[])
+{
+    TestConnections::skip_maxscale_start(true);
+
+    TestConnections test(argc, argv);
+
+    std::string json_file("/masking_auto_firewall.json");
+    std::string from = test_dir + json_file;
+    std::string to = "/home/vagrant" + json_file;
+
+    if (test.maxscales->copy_to_node(0, from.c_str(), to.c_str()) == 0)
+    {
+        if (test.maxscales->start() == 0)
+        {
+            sleep(2);
+            test.maxscales->wait_for_monitor();
+
+            if (test.maxscales->connect_rwsplit() == 0)
+            {
+                run(test);
+            }
+            else
+            {
+                test.assert(false, "Could not connect to RWS.");
+            }
+        }
+        else
+        {
+            test.assert(false, "Could not start MaxScale.");
+        }
+    }
+    else
+    {
+        test.assert(false, "Could not copy masking file to MaxScale node.");
+    }
+
+    return test.global_result;
+}
diff --git a/maxscale-system-test/masking_auto_firewall.json b/maxscale-system-test/masking_auto_firewall.json
new file mode 100644
index 000000000..74869426c
--- /dev/null
+++ b/maxscale-system-test/masking_auto_firewall.json
@@ -0,0 +1,12 @@
+{
+    "rules": [
+        {
+            "replace": {
+                "column": "a"
+            },
+            "with": {
+                "fill": "X"
+            }
+        }
+    ]
+}