IoT Security Administrator’s Guide
    : Add a Network Segment
    Focus
    Download PDF
    Focus
    1. Home
    2. IoT
    3. IoT Security Administrator’s Guide
    4. Discover IoT Devices and Take Inventory
    5. Devices with Overlapping IP Addresses
    6. Add a Network Segment
    Download PDF

    IoT Security Administrator’s Guide

    Add a Network Segment

    Table of Contents

    Add a Network Segment

    Add a network segment to IoT Security by manually configuring one. Use the configured network segment to manage overlapping IP addresses.
    A network segment helps IoT Security identify distinct devices with overlapping IP addresses. To take advantage of network segments, create a network segment and then specify which IP block groups in your network overlap across sites. IoT Security automatically detects most networks based on observed traffic, but you can also manually add networks.
    Only users with an owner or administrator role can create and manage network segment configurations.

    Create a Network Segment

    1. Navigate to NetworksNetworks and SitesNetwork Segments Configuration.
    2. Add a network segment.
      This brings up the Add Network Segment dialog box.
    3. Enter the network segment configuration details.
      • Name: Enter a name for the network segment.
      • Optional Description: Enter a brief description for the network segment.
      • Firewall: Select the firewalls that you want to assign to the network segment. You can search by a firewall's serial number and name, or use the drop-down selector. The drop-down selector shows if firewalls are assigned to a network segment or not. If you select an already assigned firewall, it will be removed from its existing segment after saving the configuration. A network segment must have at least one firewall assigned to it.
      • Optional Assigned to site: Select or create the site that the network segment is assigned to. If you don't choose a site, the network segment is assigned to the default site. You can only assign a network segment to one site.
    4. Add the network segment.
    5. Verify that the net network segment appears in the Segments table, with the correct firewalls and site.

    Create a Network Shared Block

    1. Navigate to NetworksNetworks and SitesNetworks.
    2. Optional If the shared IP block group doesn't appear in the Networks table, add the subnet or IP address block.
    3. Convert the shared IP block group from a Subnet or Block to a Shared Block.
      1. In the Networks table, find the Subnet or Block that is reused across multiple sites.
      2. Click the three vertical dots at the far right of the subnet or block row and select Change to IP Shared Block.
      3. After the Networks table refreshes, find the IP Prefix that you changed, and verify that the Type is Shared Block.
    4. Verify that the shared block only has segment types, and that there is a segment for all configured network segments.
      1. Check that the shared block consists of segments.
        Click the IP Prefix field for the shared block. This updates the Networks table to show the shared IP prefix. For all the rows, the Type should be Segment.
      2. Check that the shared block segment information matches your network segment.
        Verify that there is a segment row with a Network Segment attribute that matches the name of each of the network segments in the Segments table under NetworksNetworks and SitesNetwork Segments Configuration. The Site attribute should match the site that each network segment is assigned to.

    Verify the Network Segment Configuration

    1. Verify the network segment.
      1. Navigate to NetworksNetworks and SitesNetwork Segments Configuration.
      2. Verify that your network segment appears in the Segments table, with the correct firewalls and sites.
    2. Verify the shared block and the network segment mapping.
      1. Navigate to NetworksNetworks and SitesNetworks.
      2. In the Networks table, find the shared block that you configured earlier, and select the IP Prefix field.
      3. In the updated Networks table for the shared block, verify that there is a row where the Network Segment attribute is the name of the network segment that you created earlier.
      4. For the same row, verify that the Site attribute is the name of the site that your network segment is assigned to.
    3. Optional Verify that the shared block and the network segment belong to the correct site.
      1. Navigate to NetworksNetworks and SitesSites.
      2. Find the site the network segment belongs to, click the three vertical dots at the far right of the site's row, and select Edit Site.
      3. In the Edit Site dialog box that appears, verify that the following appears in the respective fields.
        • IP Prefix (Optional): The IP prefix of the shared block that you created.
        • Network Segment (Optional): The name of the network segment that you created.
    4. Verify that distinct devices and device attributes are assigned correctly in the devices inventory table.
      Information in the devices inventory table may take time to populate. IoT Security needs to see enough traffic from the network segments to identify devices and device attributes.
      1. Navigate to AssetsDevices.
      2. In the Inventory table, select the Columns icon (three vertical bars) to open the column fields pop-up.
      3. Select the following column options.
        • IP Address under the Basic category.
        • Network Segments under the Network category.
        • Firewall under the TRAFFIC category.
      4. Return to the Inventory table and verify that devices with overlapping IP addresses have the correct network segment attribute, and the firewall matches one of the firewalls assigned to the corresponding network segment.

    © 2024 Palo Alto Networks, Inc. All rights reserved.