diff --git a/src/envoy/http/authn/http_filter.cc b/src/envoy/http/authn/http_filter.cc
index 717711a9edc..7751f81be4d 100644
--- a/src/envoy/http/authn/http_filter.cc
+++ b/src/envoy/http/authn/http_filter.cc
@@ -34,7 +34,26 @@ namespace Istio {
 namespace AuthN {
 
 AuthenticationFilter::AuthenticationFilter(const FilterConfig& filter_config)
-    : filter_config_(filter_config) {}
+    : filter_config_(filter_config) {
+  for (const auto& method : filter_config.policy().peers()) {
+    switch (method.params_case()) {
+      case iaapi::PeerAuthenticationMethod::ParamsCase::kMtls:
+        if (method.mtls().mode() == iaapi::MutualTls_Mode_PERMISSIVE) {
+          ENVOY_LOG(
+              warn,
+              "mTLS PERMISSIVE mode is used, connection can be either "
+              "plaintext or TLS, and client cert can be omitted. "
+              "Please consider to upgrade to mTLS STRICT mode for more secure "
+              "configuration that only allows TLS connection with client cert. "
+              "See https://istio.io/docs/tasks/security/mtls-migration/");
+          return;
+        }
+        break;
+      default:
+        break;
+    }
+  }
+}
 
 AuthenticationFilter::~AuthenticationFilter() {}