>
    Strata Copilot
    Subnet-Site Mapping
    Focus
    Download PDF
    Focus
    1. Home
    2. Device Security
    3. Device Security Administration Guide
    4. Configure IoT Networks
    5. Subnet-Site Mapping
    Download PDF
    Device Security

    Subnet-Site Mapping

    Table of Contents

    Subnet-Site Mapping

    Learn how to set the priority for subnet to site mappings in Device Security when you have multiple sources of subnet to site mappings.
    Where Can I Use This?What Do I Need?
    • Device Security (Managed by Strata Cloud Manager)
    One of the following subscriptions:
    • Device Security subscription for an advanced Device Security product (Enterprise, OT, or Medical)
    • Device Security X subscription
    When you first configure the platform with IP address-based site mapping, you can create an initial device-to-site mapping by uploading a CSV file of the IP address blocks in each of your sites. Over time, the platform learns about subnet-to-site assignments from multiple sources, including manual configuration, IPAM integrations (such as Infoblox or BlueCat), and network management tools (such as SNMP or Cisco Meraki). When these sources provide conflicting data for the same subnet, the platform offers a customizable priority framework for you to define which site assignment to use. By ranking a global source priority, you ensure that your most reliable information takes precedence when the same subnet appears in multiple sources with different site assignments.
    Subnet-site mapping conflict resolution also provides granular control when you need it. You can override the global priority settings for specific subnets, manually selecting a different source for site-mapping priority as needed. This combination of automated conflict resolution with the flexibility for manual overrides improves operational efficiency without compromising data accuracy. Whether automatic or manual, this priority-based approach enables the system to resolve conflicts automatically, while ensuring consistency and accuracy for device locations within your network.
    From the platform's Site Settings, you can configure the global priority order for your data sources. Alternatively, from the Networks table, you can view subnets with site conflicts and manually resolve conflicts for specific subnets by locking them to a preferred source. Setting a site source priority for an individual subnet takes precedence over the global site settings for that subnet.
    If you are an early customer of the legacy solution who uses firewall-based site assignment, then subnet-to-site mapping source priorities do not apply.

    Configure Subnet-Site Mapping Source Priority

    Define a global prioritization order for subnet-site mapping sources. This order determines how subnet-site mapping conflicts are resolved when multiple sources provide conflicting information. The platform assigns sites based on the highest-priority source that provides data for a given subnet.
    1. Select NetworksSitesSite Settings.
    2. Select + Add Source and select a source from the drop-down list that you want to use for subnet-site mappings.
      You can define up to four other sources in addition to the User Config source. By default, the User Config source is the 1st Priority.
      You can change the priority of the User Config source, but you can't delete that source.
      The IP Prefix-Site Assignment Sources in Site Settings, where global source priorities are managed
    3. Drag and drop the sources to arrange them in your desired priority order.
      The source at the top has the highest priority.
    4. Select Save your global source priority configuration, and then Confirm the changes.
      The Save button is disabled if no changes have been made to the priority list or if there are empty priority fields.
    5. View the Networks table under NetworksAll Networks to identify conflicts.
      1. Under the Site Conflict column in the Networks table, any row with "Yes" indicates a subnet-to-site mapping conflict.
      2. Review the Networks page with the Site Conflict column.
        The Networks table with the Site Conflict column used to identify subnets with conflicting site assignments
    6. Open the Subnet Details dialog for a conflicted subnet.
      1. Select the pop-out icon next to the IP Prefix for a subnet that shows "Yes" in the Site Conflict column.
      2. In the Subnet Details dialog expand the Network Infrastructure section.
      3. Select the Assigned by source link, for example, Infoblox IPAM, to view the Site Assignment Details screen.
        The Subnet Details dialog displaying the Network Infrastructure information for a subnet with multiple sources for site assignments
    7. Manually resolve the subnet conflict by locking a source.
      1. In the Site Assignment Details view, review the site assignments reported by each source.
      2. To override the global priority for this specific subnet, select the Source Lock icon next to the source whose site assignment you want to enforce. Locking a source sets it as the primary source for that subnet.
        You can only lock one source at a time for a given subnet.
      3. Save the site assignment.
        Resolve a site conflict by locking a preferred source to enforce its site assignment for the subnet

    © 2026 Palo Alto Networks, Inc. All rights reserved.