diff --git a/api/v1alpha1/ext_auth_types.go b/api/v1alpha1/ext_auth_types.go
index 25d28a91003..6e455aa42d1 100644
--- a/api/v1alpha1/ext_auth_types.go
+++ b/api/v1alpha1/ext_auth_types.go
@@ -40,6 +40,16 @@ type ExtAuth struct {
 	// in HeadersToExtAuth or not.
 	// +optional
 	HeadersToExtAuth []string `json:"headersToExtAuth,omitempty"`
+
+	// FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained.
+	// If FailOpen is set to true, the system allows the traffic to pass through.
+	// Otherwise, if it is set to false or not set (defaulting to false),
+	// the system blocks the traffic and returns a HTTP 5xx error, reflecting a fail-closed approach.
+	// This setting determines whether to prioritize accessibility over strict security in case of authorization service failure.
+	//
+	// +optional
+	// +kubebuilder:default=false
+	FailOpen *bool `json:"failOpen,omitempty"`
 }
 
 // GRPCExtAuthService defines the gRPC External Authorization service
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index eb22e02fe2d..51506aed4b0 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -1374,6 +1374,11 @@ func (in *ExtAuth) DeepCopyInto(out *ExtAuth) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.FailOpen != nil {
+		in, out := &in.FailOpen, &out.FailOpen
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtAuth.
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
index fe4edffe69f..ee9f22e089e 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -154,6 +154,17 @@ spec:
               extAuth:
                 description: ExtAuth defines the configuration for External Authorization.
                 properties:
+                  failOpen:
+                    default: false
+                    description: FailOpen is a switch used to control the behavior
+                      when a response from the External Authorization service cannot
+                      be obtained. If FailOpen is set to true, the system allows the
+                      traffic to pass through. Otherwise, if it is set to false or
+                      not set (defaulting to false), the system blocks the traffic
+                      and returns a HTTP 5xx error, reflecting a fail-closed approach.
+                      This setting determines whether to prioritize accessibility
+                      over strict security in case of authorization service failure.
+                    type: boolean
                   grpc:
                     description: GRPC defines the gRPC External Authorization service.
                       Either GRPCService or HTTPService must be specified, and only
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index 8a6252483d7..e1618f6cf52 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -910,6 +910,7 @@ _Appears in:_
 | `grpc` | _[GRPCExtAuthService](#grpcextauthservice)_ |  true  | GRPC defines the gRPC External Authorization service. Either GRPCService or HTTPService must be specified, and only one of them can be provided. |
 | `http` | _[HTTPExtAuthService](#httpextauthservice)_ |  true  | HTTP defines the HTTP External Authorization service. Either GRPCService or HTTPService must be specified, and only one of them can be provided. |
 | `headersToExtAuth` | _string array_ |  false  | HeadersToExtAuth defines the client request headers that will be included in the request to the external authorization service. Note: If not specified, the default behavior for gRPC and HTTP external authorization services is different due to backward compatibility reasons. All headers will be included in the check request to a gRPC authorization server. Only the following headers will be included in the check request to an HTTP authorization server: Host, Method, Path, Content-Length, and Authorization. And these headers will always be included to the check request to an HTTP authorization server by default, no matter whether they are specified in HeadersToExtAuth or not. |
+| `failOpen` | _boolean_ |  false  | FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained. If FailOpen is set to true, the system allows the traffic to pass through. Otherwise, if it is set to false or not set (defaulting to false), the system blocks the traffic and returns a HTTP 5xx error, reflecting a fail-closed approach. This setting determines whether to prioritize accessibility over strict security in case of authorization service failure. |
 
 
 #### ExtensionAPISettings