Skip to main content
Version: 2.10.2

SNMP Polling and Traps

SNMP Polling and Traps Service supports protocol version v2C and v3. The service is enabled by default, and you can disable it if not needed.

The service has the following parameters:

ParameterDescription
T – SNMP expiration time in secsExpiration time of SNMP data held in cache, default is 86400 seconds (1day)
Enable(1) or disable(0) SNMP service1 - SNMP service enabled; 0 - SNMP service disabled
SNMP transport timeout in secTime to wait for SNMP reply from network devices to polling requests

You need to configure this service by specifying:

  1. SNMP Credentials: Authentication credentials for SNMP polling
  2. IPv4 device list: The list of IPv4 devices to be polled, including mapping to exporter IP in case you receive flow data from these devices
  3. IPv6 device list: The list of IPv6 devices to be polled, including mapping to exporter IP in case you receive flow data from these devices
  4. MIB library: Optionally add MIBs not included in NFO to build OID sets
  5. SNMP traps input list: SNMP Trap ports and credentials
  6. IPv4 interfaces overrides list: SNMP Polling data defaults / overrides for IPv4 interfaces
  7. IPv6 interfaces overrides list: SNMP Polling data defaults / overrides for IPv6 interfaces

SNMP Credentials

Click on “> SNMP Credetials” to setup SNMP authentications, and press button. In popup screen select SNMPv2c or SNMPv3 and enter corresponding authentication information.

You can add unlimited number of Credential entries.

SNMP service watchlist: Exporter IP, Management IP, Port, Credentials ID, Group, Comment

Specify the mapping between Exporter IP and SNMP Management IP, SNMP polling port number, and the reference to Credential ID created in the previous step.

NFO Modules query this Service to get SNMP data.

10003: SNMP Information Monitor

When flow records are processed by NFO the Module queries this Service to get SNMP data, passing Exporter IP and Interface SNMP index as parameters. In its turn SNMP Service polls corresponding network device, using the Exporter IP/Management IP mapping, and caches this information, until it expires (Parameter: T - SNMP expiration time in secs).

For more information, see SNMP Information Monitor (10003 / 20003).

10103: SNMP Custom OID Sets Monitor

This Module enables you to create your own OIDs sets to report SNMP polling data.

Device group, introduced in NFO 2.8, allows you link OID sets specified in this Module with the Group the device assigned to. For more information, see SNMP Custom OID Sets Monitor (10103 / 20103).

10700: SNMP Traps Monitor

This Module reports SNMP Traps. For more information, see SNMP Traps Monitor (10700 / 20700).

Suspending SNMP Polling from Inactive Devices

If a device is not responding to SNMP polling, the poling for this device is suspended for a period of time.

This period of time is set by the environment variable: NFO_SNMP_INACTIVE_POLL_TIMEOUT (default is 3600 seconds).

While a device is suspended, SNMP service requests for this device are skipped and counted in the number of SNMP polling skipped requests on the Status page.

note

When device is placed on "skip polling" list, an event log for this action is recorded in the nfo_audit.log file, which can be found in the$NFO_HOME/logs directory.

Here is an example:

2023-09-28 14:31:21,317 [NOTICE] -1: service=SNMP threadId=1 description="Unresponsive device" node=10.1.2.5:161 requestType=arbitrary resultCode=-1
2023-09-28 15:31:27,223 [NOTICE] -1: service=SNMP threadId=1 description="Unresponsive device" node=10.1.2.5:161 requestType=table(bulk) resultCode=-1
2023-09-28 16:33:31,644 [NOTICE] -1: service=SNMP threadId=1 description="Unresponsive device" node=10.1.2.5:161 requestType=arbitrary resultCode=-1
2023-09-28 17:33:37,441 [NOTICE] -1: service=SNMP threadId=1 description="Unresponsive device" node=10.1.2.5:161 requestType=arbitrary resultCode=-1

You may forward these logs to your SIEM system for active monitoring and alerting.

If you installed Splunk Universal Forwarder on NFO machine, here is the inputs.conf example:

[monitor:/opt/flowintegrator/logs/nfo_audit.log]
disabled = 0
index = flowintegrator
sourcetype = flowintegrator
_meta = nfo_hostname::nfo-server

Where nfo-server is NFO machine hostname.

Other Environment Variables

The environment variables available for further tuning SNMP polling are described in the table below.

ParameterDescriptionComments
NFO_SNMP_REQ_QUEUE_LENSNMP requests (default and arbitrary) queue lengthdefault=1000 (min – 100, max – 100000)
NFO_SNMP_TRAP_QUEUE_LENSNMP traps queue lengthdefault=1000 (min – 100, max – 100000)
NFO_SNMP_GETBULK_DISABLEDisable GetBulk request for SNMPdefault=0 enable getbulk, 1 - disable getbulk
NFO_SNMP_GETBULK_REPEATERSSNMP max-repetitions count for GetBulk requestdefault=10 (min – 1, max – 100)
NFO_SNMP_MSG_MAX_SIZESNMP maximum message size (maxMsgSize)default=0 (0 means that NetSNMP default value is used, which is 1500) (min - 484, max – 65507)
NFO_SNMP_RETRIESSNMP retries countdefault= -1 (-1 means that NetSNMP default value is used, which is 5) (min - 0, max – 10)
NFO_SNMP_INACTIVE_POLL_TIMEOUTPeriod of time the poling for this device is suspended if device does not replydefault=3600 seconds
NFO_SNMP_THREAD_COUNTThe number of threads allocated for SNMP pollingDefault=1 (min - 1, max - 1024)
note

NFO server environment variables could be set here: Tracing and Configuration