diff --git a/internal/firewalls/ddos_protection.go b/internal/firewalls/ddos_protection.go
index 54b904f..118c3fa 100644
--- a/internal/firewalls/ddos_protection.go
+++ b/internal/firewalls/ddos_protection.go
@@ -91,6 +91,9 @@ func (this *DDoSProtectionManager) Apply(config *ddosconfigs.ProtectionConfig) e
 	}
 
 	if nftablesInstance == nil {
+		if config == nil || !config.IsOn() {
+			return nil
+		}
 		return errors.New("nftables instance should not be nil")
 	}
 
diff --git a/internal/nodes/api_stream.go b/internal/nodes/api_stream.go
index 57db159..8fa45c7 100644
--- a/internal/nodes/api_stream.go
+++ b/internal/nodes/api_stream.go
@@ -407,7 +407,7 @@ func (this *APIStream) handleCheckLocalFirewall(message *pb.NodeStreamMessage) e
 		var protectionConfig = sharedNodeConfig.DDoSProtection
 		err = firewalls.SharedDDoSProtectionManager.Apply(protectionConfig)
 		if err != nil {
-			this.replyFail(message.RequestId, dataMessage.Name+"was installed, but apply DDoS protection config failed: "+err.Error())
+			this.replyFail(message.RequestId, dataMessage.Name+" was installed, but apply DDoS protection config failed: "+err.Error())
 		} else {
 			this.replyOk(message.RequestId, string(result.AsJSON()))
 		}