diff --git a/pkg/guestagent/guestagent_linux.go b/pkg/guestagent/guestagent_linux.go
index 5b199131f56..e2ca83f3427 100644
--- a/pkg/guestagent/guestagent_linux.go
+++ b/pkg/guestagent/guestagent_linux.go
@@ -67,11 +67,11 @@ func New(ctx context.Context, newTicker func() (<-chan time.Time, func()), iptab
 				return nil, err
 			}
 		}
-
-		go a.setWorthCheckingIPTablesRoutine(auditClient, iptablesIdle)
-	} else {
-		a.worthCheckingIPTables = true
 	}
+
+	a.worthCheckingIPTables = true // allow initial iptables scan
+	go a.setWorthCheckingIPTablesRoutine(auditClient, iptablesIdle)
+
 	logrus.Infof("Auditing enabled (%d)", auditStatus.Enabled)
 	return startGuestAgentRoutines(ctx, a, true), nil
 }
@@ -111,7 +111,8 @@ type agent struct {
 // when no NETFILTER_CFG audit message was received for the iptablesIdle time.
 func (a *agent) setWorthCheckingIPTablesRoutine(auditClient *libaudit.AuditClient, iptablesIdle time.Duration) {
 	logrus.Info("setWorthCheckingIPTablesRoutine(): monitoring netfilter audit events")
-	var latestTrue time.Time
+	// Initialize to now so the first sleeper loop does not immediately mark it false.
+	latestTrue := time.Now()
 	go func() {
 		for {
 			time.Sleep(iptablesIdle)