diff --git a/src/shared/firewall-util.c b/src/shared/firewall-util.c
index 65a2250ed3..afa3e02b45 100644
--- a/src/shared/firewall-util.c
+++ b/src/shared/firewall-util.c
@@ -48,18 +48,12 @@ int fw_ctx_new(FirewallContext **ret) {
         if (!ctx)
                 return -ENOMEM;
 
-        /* could probe here.  However, this means that we will load
-         * iptable_nat or nf_tables, both will enable connection tracking.
-         *
-         * Alternative would be to probe here but only call
-         * fw_ctx_new when nspawn/networkd know they will call
-         * fw_add_masquerade/local_dnat later anyway.
-         */
-
         *ctx = (FirewallContext) {
                 .backend = _FW_BACKEND_INVALID,
         };
 
+        firewall_backend_probe(ctx);
+
         *ret = TAKE_PTR(ctx);
         return 0;
 }
@@ -90,8 +84,6 @@ int fw_add_masquerade(
                         return r;
         }
 
-        firewall_backend_probe(*ctx);
-
         switch ((*ctx)->backend) {
 #if HAVE_LIBIPTC
         case FW_BACKEND_IPTABLES:
@@ -124,8 +116,6 @@ int fw_add_local_dnat(
                         return r;
         }
 
-        firewall_backend_probe(*ctx);
-
         switch ((*ctx)->backend) {
 #if HAVE_LIBIPTC
         case FW_BACKEND_IPTABLES: