diff --git a/networking/v1alpha3/service_entry.pb.go b/networking/v1alpha3/service_entry.pb.go
index 8b1ce09126..8c421e2724 100644
--- a/networking/v1alpha3/service_entry.pb.go
+++ b/networking/v1alpha3/service_entry.pb.go
@@ -623,6 +623,8 @@ type ServiceEntry struct {
 	//     service accounts associated with the pods of the service, the
 	//     SANs specified here will also be verified.
 	//
+	// **NOTE 3:** Ztunnel and Waypoint proxies do not support wildcard hosts.
+	//
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=256
 	// +protoc-gen-crd:list-value-validation:XValidation:message="hostname cannot be wildcard",rule="self != '*'"
@@ -687,6 +689,8 @@ type ServiceEntry struct {
 	// For a Kubernetes Service, the equivalent effect can be achieved by setting
 	// the annotation "networking.istio.io/exportTo" to a comma-separated list
 	// of namespace names.
+	//
+	// **Note:** Ztunnel and Waypoint proxies not support this field and will read it at "*".
 	ExportTo []string `protobuf:"bytes,7,rep,name=export_to,json=exportTo,proto3" json:"export_to,omitempty"`
 	// If specified, the proxy will verify that the server certificate's
 	// subject alternate name matches one of the specified values.
diff --git a/networking/v1alpha3/service_entry.pb.html b/networking/v1alpha3/service_entry.pb.html
index fb5ada0db4..1b4ddd67bc 100644
--- a/networking/v1alpha3/service_entry.pb.html
+++ b/networking/v1alpha3/service_entry.pb.html
@@ -382,6 +382,7 @@ <h2 id="ServiceEntry">ServiceEntry</h2>
 service accounts associated with the pods of the service, the
 SANs specified here will also be verified.</li>
 </ol>
+<p><strong>NOTE 3:</strong> Ztunnel and Waypoint proxies do not support wildcard hosts.</p>
 
 </td>
 </tr>
@@ -482,6 +483,7 @@ <h2 id="ServiceEntry">ServiceEntry</h2>
 <p>For a Kubernetes Service, the equivalent effect can be achieved by setting
 the annotation &ldquo;networking.istio.io/exportTo&rdquo; to a comma-separated list
 of namespace names.</p>
+<p><strong>Note:</strong> Ztunnel and Waypoint proxies not support this field and will read it at &ldquo;*&rdquo;.</p>
 
 </td>
 </tr>
diff --git a/networking/v1alpha3/service_entry.proto b/networking/v1alpha3/service_entry.proto
index a551fee8c6..705bf5a7aa 100644
--- a/networking/v1alpha3/service_entry.proto
+++ b/networking/v1alpha3/service_entry.proto
@@ -464,6 +464,9 @@ message ServiceEntry {
   // 1. subjectAltNames: In addition to verifying the SANs of the
   //    service accounts associated with the pods of the service, the
   //    SANs specified here will also be verified.
+  //
+  // **NOTE 3:** Ztunnel and Waypoint proxies do not support wildcard hosts.
+  //
   // +kubebuilder:validation:MinItems=1
   // +kubebuilder:validation:MaxItems=256
   // +protoc-gen-crd:list-value-validation:XValidation:message="hostname cannot be wildcard",rule="self != '*'"
@@ -595,6 +598,8 @@ message ServiceEntry {
   // For a Kubernetes Service, the equivalent effect can be achieved by setting
   // the annotation "networking.istio.io/exportTo" to a comma-separated list
   // of namespace names.
+  //
+  // **Note:** Ztunnel and Waypoint proxies not support this field and will read it at "*".
   repeated string export_to = 7;
 
   // If specified, the proxy will verify that the server certificate's