diff --git a/content/en/faq/security/automtls-exclude-port.md b/content/en/faq/security/automtls-exclude-port.md
new file mode 100644
index 0000000000..da9bdf40d1
--- /dev/null
+++ b/content/en/faq/security/automtls-exclude-port.md
@@ -0,0 +1,9 @@
+---
+title: Does Auto mutual TLS exclude ports set using "excludeInboundPorts" annotation?
+weight: 80
+---
+
+No. When `traffic.sidecar.istio.io/excludeInboundPorts` is used on server workloads, Istio still
+configures the client Envoy to send mutual TLS by default. To change that, you need to configure
+a Destination Rule with mutual TLS mode set to `DISABLE` to have clients send plain text to those
+ports.