diff --git a/daemon/cmd/daemon_main.go b/daemon/cmd/daemon_main.go
index 474cc5b04343..2c5cc6815a26 100644
--- a/daemon/cmd/daemon_main.go
+++ b/daemon/cmd/daemon_main.go
@@ -1749,7 +1749,8 @@ func initKubeProxyReplacementOptions() (strict bool) {
 // detectDevicesForNodePortAndHostFirewall tries to detect bpf_host devices
 // (if needed).
 func detectDevicesForNodePortAndHostFirewall(strict bool) {
-	detectNodePortDevs := option.Config.EnableNodePort && len(option.Config.Devices) == 0
+	detectNodePortDevs := len(option.Config.Devices) == 0 &&
+		(option.Config.EnableNodePort || option.Config.EnableHostFirewall)
 	detectDirectRoutingDev := option.Config.EnableNodePort &&
 		option.Config.DirectRoutingDevice == ""
 	if detectNodePortDevs || detectDirectRoutingDev {
@@ -1901,7 +1902,9 @@ func detectDevices(detectNodePortDevs, detectDirectRoutingDev bool) error {
 			}
 		}
 	}
-	devSet[option.Config.DirectRoutingDevice] = struct{}{}
+	if option.Config.DirectRoutingDevice != "" {
+		devSet[option.Config.DirectRoutingDevice] = struct{}{}
+	}
 
 	option.Config.Devices = make([]string, 0, len(devSet))
 	for dev := range devSet {
diff --git a/pkg/option/config.go b/pkg/option/config.go
index 5c13b215e3d3..a7373697d3d8 100644
--- a/pkg/option/config.go
+++ b/pkg/option/config.go
@@ -2914,6 +2914,7 @@ func EndpointStatusValuesMap() (values map[string]struct{}) {
 // MightAutoDetectDevices returns true if the device auto-detection might take
 // place.
 func MightAutoDetectDevices() bool {
-	return Config.KubeProxyReplacement != KubeProxyReplacementDisabled &&
-		(len(Config.Devices) == 0 || Config.DirectRoutingDevice == "")
+	return (Config.EnableHostFirewall && len(Config.Devices) == 0) ||
+		(Config.KubeProxyReplacement != KubeProxyReplacementDisabled &&
+			(len(Config.Devices) == 0 || Config.DirectRoutingDevice == ""))
 }