09-21-2023 06:02 AM
Sort of a double post here but I've confirmed with Palo Alto they have no mechanism in place to validate the IP via the GP Portal using industry standard methods. Essentially the workaround/mitigation of the server component of Tunnelcrack doesn't work.
I didn't hear back here so had opened ticket with Palo and I'm told that DCV isn't possible. Basically they've put out this bulletin:
https://security.paloaltonetworks.com/PAN-SA-2023-0004
Asking us to assign an IP and change our certificate but have absolutely no way of doing so since a public cert can't be verified properly as the industry standard method of doing so is not available on the portal. Just perfect!
For reference this is an example of the validation method from Digicert but others are similar process:
