Network SNI rules don't apply

I’ve connected a private network to the Gateway and using WARP client.
Resources are reachable, ssh, kubernetes api etc.
Adding rule Blocking kube API by SNI doesn’t work.

Blocking the whole private network and then trying to Allow by SNI doesn’t work either.
Logs clearly show the same SNI as in the rule Blocked by the later rule.
I clearly see in tcpdump that SNI was presented to the Gateway but it just sends FIN and closes connection :confused:

BTW if i remove the first part of the hostname and use SNI Domain then it works like a charm. I can’t do that though i need it by hostname.

Any ideas what am i doing wrong?
I have Proxy TCP/UDP enabled. No TLS inspection. Split Tunnel in Inclusive mode with my private network listed