Not only is it all internal, but in modern networks SNMP is usually run on specific dedicated backchannel networks, precisely because anyone who has done network security since 1994 knows that SNMP is terribly insecure.

It may be a little less rigorous because ASAs are often prem boxes in enterprise environments, not like tier 1 backbone components. But it might be a little more rigorous because ASAs are firewalls.

I'd say that not only is it all NOT internal, it is often not run on "specific dedicated backchannel networks". Ask anyone who was a victim of a DDoS that made use of SNMP amplification.

I would agree that it should be internal and should be run on internal-only interfaces/networks but the reality is that that very often isn't the case.

The average ASA is better off than most other devices simply because one must explicitly configure and enable SNMP on it. Too many other devices ship with it enabled, accessible from 0/0, with the default community strings set to "public" and "private". I believe the last abuse@ e-mail I received notifying me of a customer with a device exactly like that was on Saturday.

Just a quick google for: Remote grafana SNMP, Remote LibreNMS SNMP, Remote Observium SNMP, etc. leads to all kinds of good stuff.

I mean, you can literally just ask a site like Shodan to give you a list of publicly available SNMP interfaces. Do you see a lot of what look like ASAs on that list?

it's not that common to monitor your network infra from the internet, is it? surely you're piping SNMP over local interfaces?