IPAM Scanning with segmented network (firewalls, etc).


First allow me to highlight that I'm a complete n00b to solarwinds . . . but the address management funtions look quite interesting . . .

What I'd like to find out - and i cannot find any obvious whitepapers or faq's that cover this, is what is best practice for making use of IPAM in a highly segmented network with tight firewall rules in place.   ie: I have a multi-tiered network segmented into a significant number of DMZ's - and I want to do both (a) manage the IP address ranges and subnets within the network tiers (DMZ's) and (b) be able to monitor the usage of addresses within each network segment AND (most importantly) be able to view all that data from a single console / webpage.

So I think I've figured out that I'd need to allow ICMP and SNMP across firewalls to do this the easy way but sometimes this will NOT be possible for me.

First Question is: can I deploy mulitple scan points (say one per network zone) and have all report monitoring data to the same database (SQL 2005 as far as I can see) in such a way as to allow a single web console seemless access to all the data in one presentation view?  (ie: i'd allow IPAM scanner to SQL DB accross firewall).

Second Question is: can I use a single web console to define and manage subnets, with various monitoring points somehow understanding what I mean?

Yes, it is a largish network (10000+ addresses in the bit of it that I'm interested in), and likely 10 or so network zones that I will not be able to allow ICMP+SNMP traffic for.

If anybody could point me to some information on this sort of thing it would be appreciated.  Bonus points if somebody could describe most optimal way to license it !

Merci d'avance,

- Steve.

Top Replies

  • Anybody out there with an answer ?   We have same problem here.  We are not able to cross any firewall with iPAM and I have no info on DMZs.

    Thank you for any pointers to a solution.

  • 1) Yes (and no).  Each subnet you want to scan can be configured to scan from a different polling engine.  You can install polling engines in each zone and you would have exactly what you want... the No part is that polling engines are expensive.  I am guessing that in the future they might have the option to move this function to an agent or a specialty remote scanner.  With WPM ( Web Performance Monitor ) you can install a "player" on any computer and it becomes a remote location for the web transaction, so they have done this for other products, just not currently IPAM (at least not that I know of).

    2) I think I answered that in #1.  Yes you can.

  • Thank for your answer!

    Would it be possible to open some ports to the iPAM server on the firewall so it could span either with SNMP scan or ARP scan ?

    This way you wouldn't need a polling engine ?   Am I right ?

  • You can try @Brian Scottrecommendation but you can also try Neighbor scanning.

  • I guess that 'Neighbor scanning' would not be practical for a big network of many thousands of servers/clients and many DMZs.

    So @Brian Scottrecommendation to use "polling engine" would be more the way to go.

    Thank you all for your answers.


  • By IPAM server I take it you mean your main Solarwinds server.  Yes you can.  We have the majority of our networks (highly segmented, here) setup so that ICMP pings and SNMP scans can be made by the Solarwinds server to most networks.

    There is a third option to consider - which is a bit 'off the reserveration' but can work in certain situations.   We have cloud ASA deployed in Azure, and for some reason these come with a default 'block ICMP' rule applied to VPNs that we can't disable.  This means IPAM is unable to scan the subnets up there.  I will be writing powershell to call the Azure and Solarwinds APIs and update IPAM 'manually'