Description | This article explains and describes how to resolve SSL.Anonymous.Ciphers.Negotiation or SSL.Null.Ciphers.Negotiation messages in the Intrusion Prevention log for traffic and traffic passed. |
Scope | FortiGate IPS. |
Solution |
Some users report seeing Microsoft traffic (Teams in particular) causes these error messages, which are deemed as warnings. This can happen with other traffic as well.
This is seen because the Firewall policy has IPS/log enabled and the specific IPS signatures have Severity level 1 (Information), and the default action is Pass.
For more detail about the specific signature, refer to these FortiGuard encyclopedia links: https://www.fortiguard.com/encyclopedia/ips/43544 https://www.fortiguard.com/encyclopedia/ips/52410
Addressing this from the Client or Server side is possible but beyond the scope of this article, which focuses on a Firewall solution.
In FortiGate, it is a common practice for a user to block IPS based on severity level rather than individual signature. For example: for levels 4 (high) and 5 (critical), the action may be blocked, while for levels 3, 2, and 1, the default action is used as shown below. The default action for each signature can be different: it may be Pass or Block.
To address the issue, add a specific signature and change the default behavior from Pass to Block as shown below. An example is for SSL.Anonymous.Ciphers.Negotiation, but other individual signatures can be used.
After this is added, the IPS sensor profile looks like the following:
So for a firewall policy that has UTM enabled and the IPS profile updated as described above, it should block or act accordingly for traffic that matches the signatures defined here. |