https://live.paloaltonetworks.com/t5/general-topics/mandatory-action-required-device-certificate-enforcement-affects/m-p/1244777#M125773 <P>Hi everyone,</P> <P>&nbsp;</P> <P>We have a pair of PA-440 and when we login to the dashbaord we are greeted with a notification on the Device Certificate enforcement (I have attached a screenshot of the warning).</P> <P>&nbsp;</P> <P>When I have gone through the Customer advisory they clearly stated that the PA-4xx series are not affected by this enforcement.</P> <P>&nbsp;</P> <P>Now we do have the following CDSS features like (Threat prevention, URL filtering, Global Protect, and More) where they all will expire on Jul 2026.</P> <P>Besides there is an active and valid Device certificate in the Status Tab.</P> <P>&nbsp;</P> <P>Now my questions are here:<BR />1. is PA-440 affected by this?<BR />2. are there any additional methods for me to confirm they are not affected as safeguard?</P> <P>&nbsp;</P> <P>Thank you.</P> <P>Looking forward to hearing from you.</P> <P>&nbsp;</P> Fri, 02 Jan 2026 09:19:00 GMT S.Alizada 2026-01-02T09:19:00Z https://live.paloaltonetworks.com/t5/general-topics/mandatory-action-required-device-certificate-enforcement-affects/m-p/1244777#M125773 <P>Hi everyone,</P> <P>&nbsp;</P> <P>We have a pair of PA-440 and when we login to the dashbaord we are greeted with a notification on the Device Certificate enforcement (I have attached a screenshot of the warning).</P> <P>&nbsp;</P> <P>When I have gone through the Customer advisory they clearly stated that the PA-4xx series are not affected by this enforcement.</P> <P>&nbsp;</P> <P>Now we do have the following CDSS features like (Threat prevention, URL filtering, Global Protect, and More) where they all will expire on Jul 2026.</P> <P>Besides there is an active and valid Device certificate in the Status Tab.</P> <P>&nbsp;</P> <P>Now my questions are here:<BR />1. is PA-440 affected by this?<BR />2. are there any additional methods for me to confirm they are not affected as safeguard?</P> <P>&nbsp;</P> <P>Thank you.</P> <P>Looking forward to hearing from you.</P> <P>&nbsp;</P> Fri, 02 Jan 2026 09:19:00 GMT https://live.paloaltonetworks.com/t5/general-topics/mandatory-action-required-device-certificate-enforcement-affects/m-p/1244777#M125773 S.Alizada 2026-01-02T09:19:00Z https://live.paloaltonetworks.com/t5/general-topics/mandatory-action-required-device-certificate-enforcement-affects/m-p/1244786#M125774 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/374392237">@S.Alizada</a>&nbsp;,</P> <P data-start="155" data-end="384">&nbsp;</P> <P>&nbsp;</P> <P data-start="161" data-end="390">The notification banner you’re seeing is a generic, global message and isn’t dynamically filtered by platform type, which is why it can still appear on models like the PA-440 that are explicitly excluded from enforcement.<BR /><BR /></P> <P data-start="392" data-end="580">The PA-440 is not subject to the Device Certificate enforcement for CDSS, as it already uses the newer cert architecture with automated onboarding and renewal built into PAN-OS.<BR /><BR /></P> <P data-start="582" data-end="910">Regarding the July 2026 expiry you’re seeing... that’s related to your CDSS subscription licenses, not the device cert. License duration and expiration controls which features you can use and for how long.&nbsp;The device cert is used solely for secure authentication to PANW cloud services<BR /><BR /></P> <P data-start="912" data-end="1093">You’ve already confirmed that you have an active and valid device cert, so you’re good to go. If you’d like an extra sanity check, you can also verify the status via CLI:<BR /><BR /></P> <LI-CODE lang="markup">show device-certificate status </LI-CODE> <P data-start="912" data-end="1093">&nbsp;</P> <P data-start="1135" data-end="1166">Hope this helps clarify things!</P> <P>&nbsp;</P> Fri, 02 Jan 2026 16:17:41 GMT https://live.paloaltonetworks.com/t5/general-topics/mandatory-action-required-device-certificate-enforcement-affects/m-p/1244786#M125774 JayGolf 2026-01-02T16:17:41Z