Here is a solution that we had with a client. The problem was that the firewall could not be activated with a VZ container with Ubuntu 22.04. In the VZ configuration in the VA, the netfilter mode had to be set to full so that the firewall could be started.
Otherwise the following happens: the firewall is activated via the web interface, but then the confirmation does not come because port 443 (and other TCP ports) are blocked because the state is not delivered via VZ.
I hope this solution is of some use to someone and saves someone time.