State lookup fails with "access denied" for firewall policy

I am in the process of setting up Ubuntu Linux (20.04) clients with VPN access using f5epi. Everything works, except for a firewall policy. The client side logs contain:

2021-09-29,12:50:17:954, 19837,19837,, 48, , 221, CreateInspector(), Created new OesisModule: SDK Version = '4.3.1161.0', V3V4 Adapter Version = '4.3.980.0'

2021-09-29,12:50:17:954, 19837,19837,, 48, , 224, CreateInspector(), Created new reference

2021-09-29,12:50:17:954, 19837,19837,, 48, , 74, OesisModule:Run(), policyData=type=fw&collect=2&count=1&check_list_type=required&vendor_id1=97&id1=0&version1=&platform1=2&state1=1

2021-09-29,12:50:17:954, 19837,19837,, 48, , 169, OesisLogInfoPolicy(), server configuration check list ===>

Type: fw

vendor_id: 97

id: 0

version:

platform: 2

state: 1

2021-09-29,12:50:19:043, 19837,19837,, 48, , 86, OesisModule:Run(), testing product: id=97001

2021-09-29,12:50:19:043, 19837,19837,, 48, , 98, OesisModule:Run(), Product didn't match with any product from "server configuration check list"->

2021-09-29,12:50:19:043, 19837,19837,, 48, , 194, , id=97001

2021-09-29,12:50:19:043, 19837,19837,, 48, , 194, , vendor_id=97

2021-09-29,12:50:19:043, 19837,19837,, 48, , 194, , version=1.8.4

2021-09-29,12:50:19:043, 19837,19837,, 48, , 194, , name=IPTables

2021-09-29,12:50:19:043, 19837,19837,, 48, , 194, , vendor_name=IPTables

2021-09-29,12:50:19:043, 19837,19837,, 48, , 194, , errors=Failed to get 'state'. code: -32 (Access denied) mId: 1 iId: 11

2021-09-29,12:50:19:087, 19837,19837,, 48, , 155, OesisModule:Run(), leave (check failed)

I assume the issue is that the iptables state check is trying to do something it is not allowed to do locally. Does anyone recognize this problem or have any information on what OesisModule is trying to access in this case?