FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JianWu
Staff
Staff
Article Id 317987
Description This article explains and describes how to resolve SSL.Anonymous.Ciphers.Negotiation or SSL.Null.Ciphers.Negotiation messages in the Intrusion Prevention log for traffic and traffic passed.
Scope FortiGate IPS.
Solution

Some users report seeing Microsoft traffic (Teams in particular) causes these error messages, which are deemed as warnings. This can happen with other traffic as well.

 

This is seen because the Firewall policy has IPS/log enabled and the specific IPS signatures have Severity level 1 (Information), and the default action is Pass.

 

For more detail about the specific signature, refer to these FortiGuard encyclopedia links:

https://www.fortiguard.com/encyclopedia/ips/43544

https://www.fortiguard.com/encyclopedia/ips/52410

 

Addressing this from the Client or Server side is possible but beyond the scope of this article, which focuses on a Firewall solution.

 

In FortiGate, it is a common practice for a user to block IPS based on severity level rather than individual signature. For example: for levels 4 (high) and 5 (critical), the action may be blocked, while for levels 3, 2, and 1, the default action is used as shown below. The default action for each signature can be different: it may be Pass or Block. 

 

IPS-BasedOnSeverity-Typical.PNG

 

To address the issue, add a specific signature and change the default behavior from Pass to Block as shown below. 

An example is for SSL.Anonymous.Ciphers.Negotiation, but other individual signatures can be used.

 

AddingSpecificIPSSignature.PNG

 

After this is added, the IPS sensor profile looks like the following:

 

1.png

 

So for a firewall policy that has UTM enabled and the IPS profile updated as described above, it should block or act accordingly for traffic that matches the signatures defined here.