"Error: Input line too long" when adding more tenants to Tenant Restriction policy
search cancel

"Error: Input line too long" when adding more tenants to Tenant Restriction policy

book

Article ID: 381538

calendar_today

Updated On:

Products

ProxySG Software - SGOS ISG Proxy

Issue/Introduction

When adding more headers to EdgeSWG Policies to restrict Office 365 Access via  Controlling Office 365 access using tenant restrictions on Edge SWG (ProxySG)  using TRv1, you encounter the following error:


% Load failed with error(s)
Error: Input line too long
central:20:     set(request.x_header.Rest
Error: Expecting a valid action identifier, or an end to the current action definition: ''
central:20:     set(request.x_header.Rest

Environment

Edge SWG (ProxySG)  with Office 365 Tenant Restriction policies

 

Cause

There is an 8 KB string length limitation on HTTP headers in EdgeSWG.

Resolution

To resolve this issue, create a New Object with an Append Action to Include Additional Tenants to workaround the 8 KB header limitation.
 
For example:

Suppose you have existing "TenantHeader" Object that you have in your existing policy to restrict Tenants such as:

define action TenantHeaders
 set(request.x_header.Restrict-Access-To-Tenants, "sub_domain_1.onmicrosoft.com, ........, sub_domain_250.onmicrosoft.com")
end action TenantHeaders

You can create another policy object called "MoreTenantHeaders" to append additional headers to the "TenantHeaders" Object like this:

define action MoreTenantHeaders
 append(request.x_header.Restrict-Access-To-Tenants, "sub_domain_300.onmicrosoft.com, ........,sub_domain_340.onmicrosoft.com")
end action MoreTenantHeaders

When calling the objects in a policy rule, ensure that the new "MoreTenantHeaders" object comes before the original object on the policy rule line:

<Proxy>
condition=TenantRestrictionDestinations action.MoreTenantHeaders(yes) action.TenantHeaders(yes)


Additional Information

Verify your Edge SWG is utilizing both the original and additional headers by running a policy trace.
 
Refer to Article Controlling Office 365 access using tenant restrictions on Edge SWG (ProxySG) for a complete guide controlling Office 365 access using tenant restrictions on Edge SWG (ProxySG).