diff --git a/pkg/cli/firewall_log.go b/pkg/cli/firewall_log.go
index b05d89775a1..2860a79a5b5 100644
--- a/pkg/cli/firewall_log.go
+++ b/pkg/cli/firewall_log.go
@@ -468,8 +468,10 @@ func extractFirewallFromAgentLog(logsPath string, verbose bool) *FirewallAnalysi
 	blockedDomainsSet := make(map[string]bool)
 	for line := range strings.SplitSeq(string(content), "\n") {
 		if matches := agentLogAllowDomainsPattern.FindStringSubmatch(line); len(matches) > 1 {
+			// Strip surrounding double quotes if present (e.g., --allow-domains "dom1,dom2")
+			allowDomains := strings.Trim(matches[1], "\"")
 			// Domains can be comma-separated in the suggestion
-			for domain := range strings.SplitSeq(matches[1], ",") {
+			for domain := range strings.SplitSeq(allowDomains, ",") {
 				if d := strings.TrimSpace(domain); d != "" {
 					blockedDomainsSet[d] = true
 				}
diff --git a/pkg/cli/firewall_log_test.go b/pkg/cli/firewall_log_test.go
index 4d3b77bd066..a2a8cd047d6 100644
--- a/pkg/cli/firewall_log_test.go
+++ b/pkg/cli/firewall_log_test.go
@@ -832,6 +832,14 @@ add --allow-domains anthropic.com to your command`,
 			wantTotalReqs:   2,
 			wantBlockedReqs: 2,
 		},
+		{
+			name:            "quoted comma-separated domains strips surrounding double quotes",
+			logContent:      `[WARN] To fix domain issues: --allow-domains "*.githubusercontent.com,api.openai.com,chatgpt.com"`,
+			wantNil:         false,
+			wantBlocked:     []string{"*.githubusercontent.com", "api.openai.com", "chatgpt.com"},
+			wantTotalReqs:   3,
+			wantBlockedReqs: 3,
+		},
 		{
 			name: "deduplicated repeated warnings for same domain",
 			logContent: `add --allow-domains chatgpt.com to your command