Overlapping IP addresses, also known as shared IP blocks, occur when an IP CIDR block is reused across different networks. In industries where each site operates independently, such as retail or manufacturing plants, a shared IP block can exist at multiple sites. Other common use cases for overlapping IP addresses include guest networks, or local resources that don't need enterprise-wide access. In these scenarios, devices using shared IP blocks don't communicate with other devices using the same shared IP block.

Device Security uses network segments to identify when there are overlapping IP addresses because multiple networks are using a shared IP block. A network segment is an association of one or more firewalls that is assigned to a site. Each firewall can only be assigned to one network segment, and each network segment can only be assigned to one site. This helps Device Security distinguish devices with overlapping IP addresses, based on what firewall and IP address the traffic is coming from.

Using a combination of IP address and network segment, Device Security identifies distinct devices within overlapping IP blocks that different firewalls observe and creates more accurate IP address-to-MAC address bindings. THis improves the completeness of the asset inventory by accurately representing the unique devices, their attributes, and behaviors within each shared IP block. Additionally, by matching traffic from overlapping IP addresses to the correct devices, Device Security creates a more accurate behavior baseline for both devices and profiles. In turn, an accurate behavior baseline provides higher confidence in risk assessments and policy recommendations, while reducing false positives due to inaccurate anomaly detections.

To support identification of devices in a network with shared IP block groups, add and manage network segment configurations.