SNMP Get Requests on Firewall

Just wondering if anyone has had a chance to give this much thought yet. I am hoping someone has seen this before and can offer some input.

Are you using any other Solarwinds products? I had a similar issue, and the culprit was IPAM scanning the entire subnet.

Yes, we are using quite a few of the SW products, right now it looks like NPM, NTM, SAM, and IPAM. How were you able to resolve it?

I should note that IPAM is one of the modules that I have the least experience with.

Disabling Subnet Neighbor Scanning worked for me. It's under IPAM Settings -> Subnet Scan Settings.

Okay, I have been looking around in settings a bit. While IPAM seemed like it could fit, I could find no listing of the IP addresses I mentioned anywhere in IPAM. Not in the addresses, scope or scan settings.

I then started going to other applications, starting with NTM, another application I am not very familiar with. I checked the Edit IP Address Groups settings in NTM, and I found "Number of Selected Groups: 3" with the Enabled checkbox checked for group Private Addresses 192.168.0.0 - 192.168.255.255.

The information on this screen states the information below. Do you think that this could be causing the requests? I wouldn't think that this would result in an SNMP request, but so far it is the only instance I have found of the IP addresses in question.

Check groups to enable monitoring. Checked groups will appear in the Top XX IP Address Group resource.

IP Address groups can also be used to define application in Manage Applications and Service Ports.

I found that option, and it is checked to enable it. I did find that on a lot of the individual subnets, it is disabled. Would disabling on individual subnets override this global setting?

Scott,

NTA doesn't perform any network discovery to my knowledge, that setting is there so it knows how to classify the data it is receiving.  Additionally, SAM doesn't actually do any network discovery either.  It scans systems for applications when it is manually invoked, but to my knowledge is also not automatic.

The likely culprits are NPM, specifically a scheduled Network Sonar discovery, or IPAM scanning.  Are the scans being detected on a schedule?  Default for IPAM is every 4 hours, and typically NPM scans are daily (but that really depends on the person that set it up).

D

Thanks for the additional information on NTA and SAM. I figured that might be the case but wanted to mention it. I suspected NPM with the discovery and checked settings on that, but the settings indicate only our available networks, and no reference to the unused IP addresses I referred to.

So right now it looks like IPAM is the most likely candidate, most likely with the Neighbor Scanning option that mentioned. Our firewall guy had to work on something last night and isn't in yet, but when he gets here I plan to get more details from him, including timing of the events he noticed. Perhaps then I could disable that option and see what kind of results we get. I will report back here once I get that done.

Going back to my original post, do you think there might be something in the toolset that could be doing this, if it is still installed somewhere?

Yes to all the above.  IPAM does sound like a likely candidate; and if the toolkit is installed, that could be it also depending on how someone has it configured.  As a network and network security engineer myself, your IPS and/or firewall should be providing you with the IP address of the source.  Did your firewall guy provide the source IP of the SNMPGET?  You mentioned it was coming from your SW/Orion environment, so someone knows the actual source IP.

D