diff --git a/openwisp-config/files/sbin/openwisp-update-config.lua b/openwisp-config/files/sbin/openwisp-update-config.lua
index fc756e2a..70d657dd 100755
--- a/openwisp-config/files/sbin/openwisp-update-config.lua
+++ b/openwisp-config/files/sbin/openwisp-update-config.lua
@@ -38,8 +38,9 @@ local get_standard = function() return uci.cursor(standard_config_dir) end
 local get_remote = function()
   return uci.cursor(remote_config_dir, '/tmp/openwisp/.uci')
 end
-local get_check =
-  function() return uci.cursor(check_config_dir, '/tmp/openwisp/.uci') end
+local get_check = function()
+  return uci.cursor(check_config_dir, '/tmp/openwisp/.uci')
+end
 local get_stored = function()
   return uci.cursor(stored_config_dir, '/tmp/openwisp/.uci')
 end
@@ -153,34 +154,9 @@ if lfs.attributes(remote_config_dir, 'mode') == 'directory' then
     if lfs.attributes(remote_path, 'mode') == 'file' then
       -- if there's no backup of the file yet, create one
       if not utils.file_exists(stored_path) then
-        os.execute('cp ' .. standard_path .. ' ' .. stored_path)
-        local uci_sections = stored:get_all(file) or {}
-        for key, section in pairs(uci_sections) do
-          -- check if section is in remote configuration
-          local section_check = check:get(file, section['.name'])
-          if section_check then
-            -- check if options is in remote configuration
-            for option, value in pairs(section) do
-              if not utils.starts_with_dot(option) then
-                local option_check = check:get(file, section['.name'], option)
-                if option_check then
-                  -- if option is in remote configuration, remove it
-                  stored:delete(file, section['.name'], option)
-                end
-              end
-            end
-            -- remove entire section if empty
-            local result = stored:get_all(file, section['.name'])
-            if result and utils.is_uci_empty(result) then
-              stored:delete(file, section['.name'])
-            end
-          end
-        end
-        stored:commit(file)
-        -- remove uci file if empty
-        local uci_file = stored:get_all(file)
-        if uci_file and utils.is_table_empty(uci_file) then
-          os.remove(stored_path)
+        local uci_file = check:get_all(file)
+        if uci_file and not utils.is_table_empty(uci_file) then
+          os.execute('cp ' .. standard_path .. ' ' .. stored_path)
         end
       end
       -- MERGE mode
diff --git a/openwisp-config/tests/good-config.tar.gz b/openwisp-config/tests/good-config.tar.gz
index b0ebe92d..3b4d8ee5 100644
Binary files a/openwisp-config/tests/good-config.tar.gz and b/openwisp-config/tests/good-config.tar.gz differ
diff --git a/openwisp-config/tests/test_update_config.lua b/openwisp-config/tests/test_update_config.lua
index a80c2628..f49bc1cb 100644
--- a/openwisp-config/tests/test_update_config.lua
+++ b/openwisp-config/tests/test_update_config.lua
@@ -24,6 +24,7 @@ TestUpdateConfig = {
         os.execute('cp ./update/system '..config_dir..'system')
         os.execute('cp ./update/network '..config_dir..'network')
         os.execute('cp ./update/wireless '..config_dir..'wireless')
+        os.execute('cp ./update/firewall '..config_dir..'firewall')
         -- we expect these UCI files to be removed
         os.execute('cp ./config/wireless-autoname '..remote_config_dir..'/wireless-autoname')
         os.execute('cp ./wifi/wireless '..remote_config_dir..'/wireless')
@@ -65,11 +66,16 @@ function TestUpdateConfig.test_update()
     local storedNetworkFile = io.open(stored_dir .. '/etc/config/network')
     luaunit.assertNotNil(storedNetworkFile)
     local storedNetworkContents = storedNetworkFile:read('*all')
-    -- ensure wg1 is not added that is downloaded from remote
-    luaunit.assertNil(string.find(storedNetworkContents, "config interface 'wg1'"))
-    -- ensure wan and wg0 are present
+    -- ensure stored
+    luaunit.assertNotNil(string.find(storedNetworkContents, "config interface 'wg1'"))
     luaunit.assertNotNil(string.find(storedNetworkContents, "config interface 'wan'"))
     luaunit.assertNotNil(string.find(storedNetworkContents, "config interface 'wg0'"))
+    -- ensure only options with differing values are stored
+    local storedFirewallFile = io.open(stored_dir .. '/etc/config/firewall')
+    luaunit.assertNotNil(storedFirewallFile)
+    local storedFirewallContents = storedFirewallFile:read('*all')
+    luaunit.assertNotNil(string.find(storedFirewallContents, "option forward 'REJECT'"))
+    luaunit.assertNotNil(string.find(storedFirewallContents, "option output 'ACCEPT'"))
     -- check system
     local systemFile = io.open(config_dir .. 'system')
     luaunit.assertNotNil(systemFile)
diff --git a/openwisp-config/tests/update/firewall b/openwisp-config/tests/update/firewall
new file mode 100644
index 00000000..c79c5bf1
--- /dev/null
+++ b/openwisp-config/tests/update/firewall
@@ -0,0 +1,5 @@
+config defaults 'defaults'
+  option syn_flood '1'
+  option input 'ACCEPT'
+  option output 'ACCEPT'
+  option forward 'REJECT'