SNMP Polling and Traps
SNMP Polling and Traps Service supports protocol version v2C and v3. The service is enabled by default, and you can disable it if not needed.
The service has the following parameters:
| Parameter | Description |
|---|---|
| T – SNMP expiration time in secs | Expiration time of SNMP data held in cache, default is 86400 seconds (1day) |
| Enable(1) or disable(0) SNMP service | 1 - SNMP service enabled; 0 - SNMP service disabled |
| SNMP transport timeout in sec | Time to wait for SNMP reply from network devices to polling requests |
You need to configure this service by specifying:
- SNMP Credentials: Authentication credentials for SNMP polling
- IPv4 device list: The list of IPv4 devices to be polled, including mapping to exporter IP in case you receive flow data from these devices
- IPv6 device list: The list of IPv6 devices to be polled, including mapping to exporter IP in case you receive flow data from these devices
- MIB library: Optionally add MIBs not included in NFO to build OID sets
- SNMP traps input list: SNMP Trap ports and credentials
- IPv4 interfaces overrides list: SNMP Polling data defaults / overrides for IPv4 interfaces
- IPv6 interfaces overrides list: SNMP Polling data defaults / overrides for IPv6 interfaces
SNMP Credentials
Click on “> SNMP Credetials” to setup SNMP authentications, and press 
button. In popup screen select SNMPv2c or SNMPv3 and enter corresponding authentication information.
You can add unlimited number of Credential entries.
SNMP service watchlist: Exporter IP, Management IP, Port, Credentials ID, Group, Comment
Specify the mapping between Exporter IP and SNMP Management IP, SNMP polling port number, and the reference to Credential ID created in the previous step.
NFO Modules query this Service to get SNMP data.
10003: SNMP Information Monitor
When flow records are processed by NFO the Module queries this Service to get SNMP data, passing Exporter IP and Interface SNMP index as parameters. In its turn SNMP Service polls corresponding network device, using the Exporter IP/Management IP mapping, and caches this information, until it expires (Parameter: T - SNMP expiration time in secs).
For more information, see SNMP Information Monitor (10003 / 20003).
10103: SNMP Custom OID Sets Monitor
This Module enables you to create your own OIDs sets to report SNMP polling data.
Device group, introduced in NFO 2.8, allows you link OID sets specified in this Module with the Group the device assigned to. For more information, see SNMP Custom OID Sets Monitor (10103 / 20103).
10700: SNMP Traps Monitor
This Module reports SNMP Traps. For more information, see SNMP Traps Monitor (10700 / 20700).
Suspending SNMP Polling from Inactive Devices
If a device is not responding to SNMP polling, the poling for this device is suspended for a period of time.
This period of time is set by the environment variable: NFO_SNMP_INACTIVE_POLL_TIMEOUT (default is 3600 seconds).
While a device is suspended, SNMP service requests for this device are skipped and counted in the number of SNMP polling skipped requests on the Status page.
When device is placed on "skip polling" list, an event log for this action is recorded in the nfo_audit.log file, which can be found in the$NFO_HOME/logs directory.
Here is an example:
2023-09-28 14:31:21,317 [NOTICE] -1: service=SNMP threadId=1 description="Unresponsive device" node=10.1.2.5:161 requestType=arbitrary resultCode=-1
2023-09-28 15:31:27,223 [NOTICE] -1: service=SNMP threadId=1 description="Unresponsive device" node=10.1.2.5:161 requestType=table(bulk) resultCode=-1
2023-09-28 16:33:31,644 [NOTICE] -1: service=SNMP threadId=1 description="Unresponsive device" node=10.1.2.5:161 requestType=arbitrary resultCode=-1
2023-09-28 17:33:37,441 [NOTICE] -1: service=SNMP threadId=1 description="Unresponsive device" node=10.1.2.5:161 requestType=arbitrary resultCode=-1
You may forward these logs to your SIEM system for active monitoring and alerting.
If you installed Splunk Universal Forwarder on NFO machine, here is the inputs.conf example:
[monitor:/opt/flowintegrator/logs/nfo_audit.log]
disabled = 0
index = flowintegrator
sourcetype = flowintegrator
_meta = nfo_hostname::nfo-server
Where nfo-server is NFO machine hostname.
Other Environment Variables
The environment variables available for further tuning SNMP polling are described in the table below.
| Parameter | Description | Comments |
|---|---|---|
| NFO_SNMP_REQ_QUEUE_LEN | SNMP requests (default and arbitrary) queue length | default=1000 (min – 100, max – 100000) |
| NFO_SNMP_TRAP_QUEUE_LEN | SNMP traps queue length | default=1000 (min – 100, max – 100000) |
| NFO_SNMP_GETBULK_DISABLE | Disable GetBulk request for SNMP | default=0 enable getbulk, 1 - disable getbulk |
| NFO_SNMP_GETBULK_REPEATERS | SNMP max-repetitions count for GetBulk request | default=10 (min – 1, max – 100) |
| NFO_SNMP_MSG_MAX_SIZE | SNMP maximum message size (maxMsgSize) | default=0 (0 means that NetSNMP default value is used, which is 1500) (min - 484, max – 65507) |
| NFO_SNMP_RETRIES | SNMP retries count | default= -1 (-1 means that NetSNMP default value is used, which is 5) (min - 0, max – 10) |
| NFO_SNMP_INACTIVE_POLL_TIMEOUT | Period of time the poling for this device is suspended if device does not reply | default=3600 seconds |
| NFO_SNMP_THREAD_COUNT | The number of threads allocated for SNMP polling | Default=1 (min - 1, max - 1024) |
NFO server environment variables could be set here: Tracing and Configuration