diff --git a/src/envoy/http/authn/http_filter.cc b/src/envoy/http/authn/http_filter.cc
index 75e172ef87b..e8fe41be1d2 100644
--- a/src/envoy/http/authn/http_filter.cc
+++ b/src/envoy/http/authn/http_filter.cc
@@ -51,12 +51,14 @@ FilterHeadersStatus AuthenticationFilter::decodeHeaders(HeaderMap& headers,
 
   Payload payload;
 
-  if (!createPeerAuthenticator(filter_context_.get())->run(&payload)) {
+  if (!filter_config_.policy().peer_is_optional() &&
+      !createPeerAuthenticator(filter_context_.get())->run(&payload)) {
     rejectRequest("Peer authentication failed.");
     return FilterHeadersStatus::StopIteration;
   }
 
   bool success =
+      filter_config_.policy().origin_is_optional() ||
       createOriginAuthenticator(filter_context_.get())->run(&payload);
 
   // After Istio authn, the JWT headers consumed by Istio authn should be
diff --git a/src/envoy/http/authn/http_filter_test.cc b/src/envoy/http/authn/http_filter_test.cc
index 0c82a5e6959..79b39d7e76a 100644
--- a/src/envoy/http/authn/http_filter_test.cc
+++ b/src/envoy/http/authn/http_filter_test.cc
@@ -35,12 +35,19 @@ using testing::NiceMock;
 using testing::StrictMock;
 using testing::_;
 
+namespace iaapi = istio::authentication::v1alpha1;
+
 namespace Envoy {
 namespace Http {
 namespace Istio {
 namespace AuthN {
 namespace {
 
+const char ingoreBothPolicy[] = R"(
+  peer_is_optional: true
+  origin_is_optional: true
+)";
+
 // Create a fake authenticator for test. This authenticator do nothing except
 // making the authentication fail.
 std::unique_ptr<AuthenticatorBase> createAlwaysFailAuthenticator(
@@ -74,8 +81,9 @@ class MockAuthenticationFilter : public AuthenticationFilter {
  public:
   // We'll use fake authenticator for test, so policy is not really needed. Use
   // default config for simplicity.
-  MockAuthenticationFilter()
-      : AuthenticationFilter(FilterConfig::default_instance()) {}
+  MockAuthenticationFilter(const FilterConfig& filter_config)
+      : AuthenticationFilter(filter_config) {}
+
   ~MockAuthenticationFilter(){};
 
   MOCK_METHOD1(createPeerAuthenticator,
@@ -95,9 +103,11 @@ class AuthenticationFilterTest : public testing::Test {
   }
 
  protected:
-  StrictMock<MockAuthenticationFilter> filter_;
-  NiceMock<Http::MockStreamDecoderFilterCallbacks> decoder_callbacks_;
+  FilterConfig filter_config_ = FilterConfig::default_instance();
+
   Http::TestHeaderMapImpl request_headers_;
+  StrictMock<MockAuthenticationFilter> filter_{filter_config_};
+  NiceMock<Http::MockStreamDecoderFilterCallbacks> decoder_callbacks_;
 };
 
 TEST_F(AuthenticationFilterTest, PeerFail) {
@@ -151,6 +161,15 @@ TEST_F(AuthenticationFilterTest, AllPass) {
       TestUtilities::AuthNResultFromString(R"(peer_user: "foo")"), authn));
 }
 
+TEST_F(AuthenticationFilterTest, IgnoreBothFail) {
+  iaapi::Policy policy_;
+  ASSERT_TRUE(
+      Protobuf::TextFormat::ParseFromString(ingoreBothPolicy, &policy_));
+  *filter_config_.mutable_policy() = policy_;
+  EXPECT_EQ(Http::FilterHeadersStatus::Continue,
+            filter_.decodeHeaders(request_headers_, true));
+}
+
 }  // namespace
 }  // namespace AuthN
 }  // namespace Istio