guillomovitch
commented
7 years ago Using just the minimal set of credentials is essentials for reasons documented on network discovery instructions. However, there is limited intelligence and state management in the agent, by design: it just executes what it has been instructed to do. So, this kind of credentials limitation should be handled on server side, not on the agent.
From @Stoatwblr on September 15, 2017 12:48
Many newer switches (and other systems) have defence mechanisms enabled which will lock out a querying IP for 5-10 minutes if it probes with an incorrect community (v1,2) or user/password.
They usually also generate a logging alarm and that is irritating if people are monitoring the systems. These bogus alarms can mask genuine attacks, which is a "Very Bad Thing"
This means that the current mode of operation ("try every SNMP community until something works") is bad practice and counterproductive. It should be deprecated.
When sweeping IP ranges, for any detected hosts:
If the host already exists in GLPI and there is a SNMP community defined, Fusion-agent should ONLY use that.
for all other cases, Fusion-inventory should cache whichever method works and ONLY use that for future probes.
Apart from the issues noted above, these lockouts are also affecting other SNMP management software running on the same machine as the agent.
Copied from original issue: fusioninventory/fusioninventory-agent#383