diff --git a/content/en/boilerplates/auto-san-validation.md b/content/en/boilerplates/auto-san-validation.md
new file mode 100644
index 0000000000..908d975cd6
--- /dev/null
+++ b/content/en/boilerplates/auto-san-validation.md
@@ -0,0 +1,5 @@
+---
+---
+{{< tip >}}
+Istio has `auto_sni` and `auto_san_validation` enabled by default. This means, whenever there is no explicit `sni` set in your `DestinationRule`, transport socket SNI for new upstream connections will be set based on the downstream HTTP host/authority header. If there are no `subjectAltNames` set in the `DestinationRule` when `sni` is unset, `auto_san_validation` will kick in, and the upstream-presented certificate for new upstream connections will be automatically validated based on the downstream HTTP host/authority header.
+{{< /tip >}}
diff --git a/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/index.md b/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/index.md
index c365dd0afe..b8f1e4c688 100644
--- a/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/index.md
+++ b/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/index.md
@@ -904,6 +904,8 @@ EOF
 
 {{< /tabset >}}
 
+{{< boilerplate auto-san-validation >}}
+
 5)  Verify that the credential is supplied to the egress gateway and active:
 
 {{< tabset category-name="config-api" >}}
diff --git a/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md b/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md
index d88a43193d..99abeb4f99 100644
--- a/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md
+++ b/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md
@@ -449,13 +449,17 @@ to hold the configuration of the NGINX server:
           tls:
             mode: MUTUAL
             credentialName: client-credential # this must match the secret created earlier to hold client certs, and works only when DR has a workloadSelector
-            sni: my-nginx.mesh-external.svc.cluster.local # this is optional
+            sni: my-nginx.mesh-external.svc.cluster.local
+            # subjectAltNames: # can be enabled if the certificate was generated with SAN as specified in previous section
+            # - my-nginx.mesh-external.svc.cluster.local
     EOF
     {{< /text >}}
 
     The above `DestinationRule` will perform mTLS origination for HTTP requests on port 80 and the `ServiceEntry`
     will then redirect the requests on port 80 to target port 443.
 
+    {{< boilerplate auto-san-validation >}}
+
 1.  Verify that the credential is supplied to the sidecar and active.
 
     {{< text bash >}}
diff --git a/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/snips.sh b/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/snips.sh
index 260d428d92..26a8a1967c 100644
--- a/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/snips.sh
+++ b/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/snips.sh
@@ -286,7 +286,9 @@ spec:
       tls:
         mode: MUTUAL
         credentialName: client-credential # this must match the secret created earlier to hold client certs, and works only when DR has a workloadSelector
-        sni: my-nginx.mesh-external.svc.cluster.local # this is optional
+        sni: my-nginx.mesh-external.svc.cluster.local
+        # subjectAltNames: # can be enabled if the certificate was generated with SAN as specified in previous section
+        # - my-nginx.mesh-external.svc.cluster.local
 EOF
 }