SNMP Management
SNMP Service supports version v2C and v3, and includes:
- SNMP Polling
- SNMP Traps
- SNMP Auto-discovery
The service is enabled by default, and you can disable it if not needed.
The service has the following parameters:
| Parameter | Description |
|---|---|
| T – SNMP expiration time in secs | Expiration time of SNMP data held in cache, default is 86400 seconds (1day) |
| Enable(1) or disable(0) SNMP service | 1 - SNMP service enabled; 0 - SNMP service disabled |
| SNMP transport timeout in sec | Time to wait for SNMP reply from network devices to polling requests |
You need to configure this service by specifying:
The following image highlights the key parameters and sections within the SNMP Management interface, where you configure NetFlow Optimizer's interaction with network devices via SNMP for polling, trap handling, and auto-discovery. Refer to the numbered callouts in the image and their corresponding descriptions below for details on each element.
- SNMP Credentials: Authentication credentials for SNMP polling
- SNMP Groups: Settings for SNMP device groups
- Auto-discovery: Settings for SNMP-based autodiscovery, such as IP ranges, device groups, and other parameters
- IPv4 device list: The list of IPv4 devices to be polled, including mapping to exporter IP in case you receive flow data from these devices
- IPv6 device list: The list of IPv6 devices to be polled, including mapping to exporter IP in case you receive flow data from these devices
- MIB library: Optionally add MIBs not included in NFO to build OID sets
- SNMP traps input list: SNMP Trap ports and credentials
- IPv4 interfaces overrides list: SNMP Polling data defaults / overrides for IPv4 interfaces
- IPv6 interfaces overrides list: SNMP Polling data defaults / overrides for IPv6 interfaces
SNMP Credentials
Click on “> SNMP Credetials” to setup SNMP authentications, and press 
button. In popup screen select SNMPv2c or SNMPv3 and enter corresponding authentication information.
You can add unlimited number of Credential entries.
SNMP Connectivity Tester
The SNMP Connectivity Tester is a utility used to verify that NFO can successfully reach and query a target network device using the specified credentials and settings. It is a critical troubleshooting step before adding a device to the main polling lists.
Using the Tester
The utility can be accessed via the SNMP Management interface. You must supply the necessary information for the test:
| Parameter | Description |
|---|---|
| Target IP address | The IP address of the device you want to test. |
| Target port | The UDP port used for SNMP communication (default is 161). |
| SNMP credentials | Select a set of configured SNMPv2c or SNMPv3 credentials to use for the test. |
| SNMP operation | The SNMP command to execute. Options typically include snmpget (for a single OID) or snmpwalk (to traverse an OID tree). |
| Optional OIDs | Specify the OIDs you wish to query (e.g., sysName.0). Leave this field blank to perform a basic connection test, which often attempts to retrieve core system OIDs like sysDescr or sysName. |
| Retries | The number of times the tester should attempt the query if the initial attempt fails. |
| Timeout ms | The maximum time (in milliseconds) to wait for a response from the device before concluding the attempt has failed. |
After configuring the parameters, click "Test Connection" to view the results in the Test result box.
Auto-discovery
Click on “> Auto-discovery” and select EDFN Agent to configure IP ranges and other parameters.
For detailed information, visit: > EDFN Administration Guide > EDFN Agents Configuration > Configuring Auto-Discovery Based on SNMP Polling.
NFO Modules Using SNMP Data
10003: SNMP Information Monitor
When flow records are processed by NFO the Module queries this Service to get SNMP data, passing Exporter IP and Interface SNMP index as parameters. In its turn SNMP Service polls corresponding network device, using the Exporter IP/Management IP mapping, and caches this information, until it expires (Parameter: T - SNMP expiration time in secs).
For more information, see SNMP Information Monitor (10003 / 20003).
10103: SNMP Custom OID Sets Monitor
This Module enables you to create your own OIDs sets to report SNMP polling data.
Device group, introduced in NFO 2.8, allows you link OID sets specified in this Module with the Group the device assigned to. For more information, see SNMP Custom OID Sets Monitor (10103 / 20103).
10700: SNMP Traps Monitor
This Module reports SNMP Traps. For more information, see SNMP Traps Monitor (10700 / 20700).
10701: Auto-discovery Reporter
This Module reports auto-discovered devices and device connections. For more information, see Auto-discovery Reporter (10701 / 20701 - 20702).
Suspending SNMP Polling from Inactive Devices
If a device is not responding to SNMP polling, the poling for this device is suspended for a period of time.
This period of time is set by the environment variable: NFO_SNMP_INACTIVE_POLL_TIMEOUT (default is 3600 seconds).
While a device is suspended, SNMP service requests for this device are skipped and counted in the number of SNMP polling skipped requests on the Status page.
When device is placed on "skip polling" list, an event log for this action is recorded in the nfo_audit.log file, which can be found in the$NFO_HOME/logs directory.
Here is an example:
2023-09-28 14:31:21,317 [NOTICE] -1: service=SNMP threadId=1 description="Unresponsive device" node=10.1.2.5:161 requestType=arbitrary resultCode=-1
2023-09-28 15:31:27,223 [NOTICE] -1: service=SNMP threadId=1 description="Unresponsive device" node=10.1.2.5:161 requestType=table(bulk) resultCode=-1
2023-09-28 16:33:31,644 [NOTICE] -1: service=SNMP threadId=1 description="Unresponsive device" node=10.1.2.5:161 requestType=arbitrary resultCode=-1
2023-09-28 17:33:37,441 [NOTICE] -1: service=SNMP threadId=1 description="Unresponsive device" node=10.1.2.5:161 requestType=arbitrary resultCode=-1
You may forward these logs to your SIEM system for active monitoring and alerting.
If you installed Splunk Universal Forwarder on NFO machine, here is the inputs.conf example:
[monitor:/opt/flowintegrator/logs/nfo_audit.log]
disabled = 0
index = flowintegrator
sourcetype = flowintegrator
_meta = nfo_hostname::nfo-server
Where nfo-server is NFO machine hostname.
Other Environment Variables
The environment variables available for further tuning SNMP polling and traps are described in the table below.
| Parameter | Description | Comments |
|---|---|---|
| NFO_SNMP_REQ_QUEUE_LEN | SNMP requests (default and arbitrary) queue length | default=1000 (min – 100, max – 100000) |
| NFO_SNMP_TRAP_QUEUE_LEN | SNMP traps queue length | default=1000 (min – 100, max – 100000) |
| NFO_SNMP_TRAP_UNK_SEC_NAME_TIMEOUT | When a trap is received from a device with unconfigured credentials, the device is suspended for this period of time | default=600 seconds (min – 60, max – 86400) |
| NFO_SNMP_GETBULK_DISABLE | Disable GetBulk request for SNMP | default=0 enable getbulk, 1 - disable getbulk |
| NFO_SNMP_GETBULK_REPEATERS | SNMP max-repetitions count for GetBulk request | default=10 (min – 1, max – 100) |
| NFO_SNMP_MSG_MAX_SIZE | SNMP maximum message size (maxMsgSize) | default=0 (0 means that NetSNMP default value is used, which is 1500) (min - 484, max – 65507) |
| NFO_SNMP_RETRIES | SNMP retries count | default= -1 (-1 means that NetSNMP default value is used, which is 5) (min - 0, max – 10) |
| NFO_SNMP_INACTIVE_POLL_TIMEOUT | Period of time the poling for this device is suspended if device does not reply | default=3600 seconds |
| NFO_SNMP_THREAD_COUNT | The number of threads allocated for SNMP polling | Default=1 (min - 1, max - 1024) |
NFO server environment variables could be set here: Tracing and Configuration