>
    Strata Copilot
    Add a Network Segment
    Focus
    Download PDF
    Focus
    1. Home
    2. Device Security
    3. Device Security Administration Guide
    4. Discover IoT Devices and Take Inventory
    5. Devices with Overlapping IP Addresses
    6. Add a Network Segment
    Download PDF
    Device Security

    Add a Network Segment

    Table of Contents

    Add a Network Segment

    Add a network segment to Device Security by manually configuring one. Use the configured network segment to manage overlapping IP addresses.
    Where Can I Use This?What Do I Need?
    • Device Security (Managed by Strata Cloud Manager)
    • (Legacy) IoT Security (Standalone portal)
    One of the following subscriptions:
    • Device Security subscription for an advanced Device Security product (Enterprise, OT, or Medical)
    • Device Security X subscription
    A network segment helps Device Security identify distinct devices with overlapping IP addresses. To take advantage of network segments, create a network segment, and then convert IP block groups to Shared IP Blocks to specify which IP block groups in your network overlap across sites. Device Security automatically detects most networks based on observed traffic, but you can also manually add networks.
    Only users with an owner or administrator role can create and manage network segment configurations.
    When you convert a subnet or IP block to a Shared IP Block, or revert a Shared IP Block back to a subnet or IP block, all devices and attributes associated with the affected Shared IP Block are deleted from the assets inventory. Devices and attributes must be relearned from traffic.

    Strata Cloud Manager

    Add a network segment to Device Security in Strata Cloud Manager by manually configuring one. Use the configured network segment to manage overlapping IP addresses.

    Create a Network Segment

    Create a Network Segment
    1. Navigate to NetworksNetwork Segments.
    2. Add a network segment.
      This brings up the Add Network Segment dialog.
    3. Enter the network segment configuration details.
      • Name: Enter a name for the network segment.
      • Optional Description: Enter a brief description for the network segment.
      • Firewall: Select the firewalls that you want to assign to the network segment. You can search by a firewall's serial number and name, or use the drop-down selector. The drop-down selector shows if firewalls are assigned to a network segment or not. If you select an already assigned firewall, it will be removed from its existing segment after saving the configuration. A network segment must have at least one firewall assigned to it.
      • Optional Assigned to site: Select or create the site that the network segment is assigned to. If you don't choose a site, the network segment is assigned to the default site. You can only assign a network segment to one site.
    4. Add the network segment.
    5. Verify that the new network segment appears in the Segments table, with the correct firewalls and site.

    Create a Network Shared Block

    Create a Network Shared Block
    You must configure at least one network segment before converting a subnet or IP block to a Shared IP Block. See Add a Network Segment.
    1. Navigate to NetworksAll Networks.
    2. Optional If the shared IP block group doesn't appear in the Networks table, add the subnet or IP address block.
    3. Convert the shared IP block group from a Subnet or Block to a Shared Block.
      When you convert a subnet or IP block to a Shared IP Block, or revert a Shared IP Block back to a subnet or IP block, all devices and attributes associated with the affected Shared IP Block are deleted from the assets inventory. Devices and attributes must be relearned from traffic.
      1. In the Networks table, find the Subnet or Block that is reused across multiple sites.
      2. Click the three vertical dots at the far right of the subnet or block row and select Change to IP Shared Block.
      3. After the Networks table refreshes, find the IP Prefix that you changed, and verify that the Type is Shared Block.
    4. Verify that the shared block only has segment types, and that there is a segment for all configured network segments.
      1. Check that the shared block consists of segments.
        Click the IP Prefix field for the shared block. This updates the Networks table to show the shared IP prefix. For all the rows, the Type should be Segment.
      2. Check that the shared block segment information matches your network segment.
        Verify that there is a segment row with a Network Segment attribute that matches the name of each of the network segments in the Segments table under NetworksNetwork Segments. The Site attribute should match the site that each network segment is assigned to.

    Verify the Network Segment Configuration

    Verify the Network Segment Configuration
    1. Verify the network segment.
      1. Navigate to NetworksNetwork Segments.
      2. Verify that your network segment appears in the Segments table, with the correct firewalls and sites.
    2. Verify the shared block and the network segment mapping.
      1. Navigate to NetworksAll Networks.
      2. In the Networks table, find the shared block that you configured earlier, and select the IP Prefix field.
      3. In the updated Networks table for the shared block, verify that there is a row where the Network Segment attribute is the name of the network segment that you created earlier.
      4. For the same row, verify that the Site attribute is the name of the site that your network segment is assigned to.
    3. Optional Verify that the shared block and the network segment belong to the correct site.
      1. Navigate to NetworksSites.
      2. Find the site the network segment belongs to, click the three vertical dots at the far right of the site's row, and select Edit Site.
      3. In the Edit Site dialog that appears, verify that the following appears in the respective fields.
        • IP Prefix (Optional): The IP prefix of the shared block that you created.
        • Network Segment (Optional): The name of the network segment that you created.
    4. Verify that distinct devices and device attributes are assigned correctly in the devices inventory table.
      Information in the devices inventory table may take time to populate. Device Security needs to see enough traffic from the network segments to identify devices and device attributes.
      1. Navigate to AssetsDevices.
      2. In the Inventory table, select the Columns icon (three vertical bars) to open the column fields pop-up.
      3. Select the following column options.
        • IP Address under the Basic category.
        • Network Segments under the Network category.
        • Firewall under the Traffic category.
      4. Return to the Inventory table and verify that devices with overlapping IP addresses have the correct network segment attribute, and the firewall matches one of the firewalls assigned to the corresponding network segment.

    (Legacy) IoT Security

    Add a network segment to Device Security by manually configuring one. Use the configured network segment to manage overlapping IP addresses.

    Create a Network Segment

    Create a Network Segment
    1. Navigate to NetworksNetworks and SitesNetwork Segments Configuration.
    2. Add a network segment.
      This brings up the Add Network Segment dialog.
    3. Enter the network segment configuration details.
      • Name: Enter a name for the network segment.
      • Optional Description: Enter a brief description for the network segment.
      • Firewall: Select the firewalls that you want to assign to the network segment. You can search by a firewall's serial number and name, or use the drop-down selector. The drop-down selector shows if firewalls are assigned to a network segment or not. If you select an already assigned firewall, it will be removed from its existing segment after saving the configuration. A network segment must have at least one firewall assigned to it.
      • Optional Assigned to site: Select or create the site that the network segment is assigned to. If you don't choose a site, the network segment is assigned to the default site. You can only assign a network segment to one site.
    4. Add the network segment.
    5. Verify that the new network segment appears in the Segments table, with the correct firewalls and site.

    Create a Network Shared Block

    Create a Network Shared Block
    You must configure at least one network segment before converting a subnet or IP block to a Shared IP Block. See Add a Network Segment.
    1. Navigate to NetworksNetworks and SitesNetworks.
    2. Optional If the shared IP block group doesn't appear in the Networks table, add the subnet or IP address block.
    3. Convert the shared IP block group from a Subnet or Block to a Shared Block.
      When you convert a subnet or IP block to a Shared IP Block, or revert a Shared IP Block back to a subnet or IP block, all devices and attributes associated with the affected Shared IP Block are deleted from the assets inventory. Devices and attributes must be relearned from traffic.
      1. In the Networks table, find the Subnet or Block that is reused across multiple sites.
      2. Click the three vertical dots at the far right of the subnet or block row and select Change to IP Shared Block.
      3. After the Networks table refreshes, find the IP Prefix that you changed, and verify that the Type is Shared Block.
    4. Verify that the shared block only has segment types, and that there is a segment for all configured network segments.
      1. Check that the shared block consists of segments.
        Click the IP Prefix field for the shared block. This updates the Networks table to show the shared IP prefix. For all the rows, the Type should be Segment.
      2. Check that the shared block segment information matches your network segment.
        Verify that there is a segment row with a Network Segment attribute that matches the name of each of the network segments in the Segments table under NetworksNetworks and SitesNetwork Segments Configuration. The Site attribute should match the site that each network segment is assigned to.

    Verify the Network Segment Configuration

    Verify the Network Segment Configuration
    1. Verify the network segment.
      1. Navigate to NetworksNetworks and SitesNetwork Segments Configuration.
      2. Verify that your network segment appears in the Segments table, with the correct firewalls and sites.
    2. Verify the shared block and the network segment mapping.
      1. Navigate to NetworksNetworks and SitesNetworks.
      2. In the Networks table, find the shared block that you configured earlier, and select the IP Prefix field.
      3. In the updated Networks table for the shared block, verify that there is a row where the Network Segment attribute is the name of the network segment that you created earlier.
      4. For the same row, verify that the Site attribute is the name of the site that your network segment is assigned to.
    3. Optional Verify that the shared block and the network segment belong to the correct site.
      1. Navigate to NetworksNetworks and SitesSites.
      2. Find the site the network segment belongs to, click the three vertical dots at the far right of the site's row, and select Edit Site.
      3. In the Edit Site dialog that appears, verify that the following appears in the respective fields.
        • IP Prefix (Optional): The IP prefix of the shared block that you created.
        • Network Segment (Optional): The name of the network segment that you created.
    4. Verify that distinct devices and device attributes are assigned correctly in the devices inventory table.
      Information in the devices inventory table may take time to populate. Device Security needs to see enough traffic from the network segments to identify devices and device attributes.
      1. Navigate to AssetsDevices.
      2. In the Inventory table, select the Columns icon (three vertical bars) to open the column fields pop-up.
      3. Select the following column options.
        • IP Address under the Basic category.
        • Network Segments under the Network category.
        • Firewall under the Traffic category.
      4. Return to the Inventory table and verify that devices with overlapping IP addresses have the correct network segment attribute, and the firewall matches one of the firewalls assigned to the corresponding network segment.

    © 2026 Palo Alto Networks, Inc. All rights reserved.