SNMP & Device Discovery
NFO uses SNMP to transform raw network telemetry into a context-aware inventory. By decoupling security standards and polling logic from the actual device onboarding, NFO enables a Zero-Touch administrative experience where hardware is automatically identified, classified, and monitored.
The NFO Infrastructure Framework
The system is built on a hierarchy designed to automate the lifecycle of a network device from the moment it is discovered.
- Security & Policy: You define the SNMP Credentials required to access your environment. These form the security foundation for all automated discovery and polling operations.
- Logic & Artifacts: You define OID Sets and manage MIBs to standardize exactly which metrics are queried — standard interface statistics or vendor-specific telemetry.
- Intelligence & Classification: NFO uses built-in rules to perform Zero-Touch Classification. As devices are discovered, NFO automatically assigns them to the correct Device Type and Device Group, ensuring they are immediately queried with the appropriate logic and credentials without manual intervention.
How SNMP Data Flows Through NFO
Once devices are discovered and polling is active, SNMP data enriches flow records in real time through Module 10003: SNMP Information Monitor.
When NFO processes a flow record, Module 10003 receives the Exporter IP and Interface SNMP index from that record and queries the SNMP service for the corresponding device and interface data. The SNMP service uses the Exporter IP → Management IP mapping to poll the correct device, then caches the result until it expires (controlled by the T – SNMP expiration time in secs parameter in SNMP Management).
The enriched data — including interface name, description, speed, device type, and vendor — is merged into the flow record and forwarded to downstream outputs (Splunk, Azure Monitor, IT Ops platforms, etc.).
This means the same device inventory built during Auto-discovery directly determines the quality of flow enrichment: a well-classified device with accurate Device Groups produces richer, more consistent output events across all connected platforms.
For high-volume environments, SNMP polling performance can be tuned using environment variables. See SNMP Tuning Environment Variables.
For modern Cisco and Juniper devices that support gRPC-based streaming telemetry, Model Driven Telemetry (MDT) can replace or complement SNMP polling for device health metrics. MDT eliminates polling overhead and delivers data at higher frequency. See Model Driven Telemetry.
SNMP Management
The central configuration reference for credentials, device classification, Auto-discovery, MIB management, interface overrides, trap handling, and performance tuning.
For first-time setup, start with the SNMP Setup Guide. For the full reference, see SNMP Management.
Auto-Discovery
NFO's Auto-discovery engine probes your network on a schedule, identifies hardware using sysObjectID, sysDescription, and Private Enterprise Numbers, and automatically assigns Device Groups and Device Types. The discovery workflow includes:
- Scan Ranges: Define subnets and IP ranges for the scanner, with per-range credential assignment.
- Dry Run & Preview: Test scan logic and review classification results before committing to the production inventory.
- Classification Overrides: Define custom rules for devices that require non-standard Group or Type assignments.
- Inventory Management: View and manage discovered devices before they enter the polling rotation.
- Discovery Reporting: Use Module 10701 to report device inventory, topology, and classification changes to your SIEM.
For full Auto-discovery configuration, see SNMP Management → Auto-Discovery.
SNMP Trap Inputs
NFO can receive SNMP traps from network devices on configurable UDP ports. Traps are processed by Module 10700: SNMP Traps Monitor.
For configuration instructions, see SNMP Trap Inputs.