>
    Strata Copilot
    End User Coaching
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Administration
    4. Monitor Enterprise DLP
    5. End User Coaching
    Download PDF
    Enterprise DLP

    End User Coaching

    Table of Contents

    End User Coaching

    Create an end user notification template to generate a notification when they generate an Enterprise Data Loss Prevention (E-DLP) or Endpoint DLP incident.
    In June 2026, Palo Alto Networks upgraded its end-user coaching experience. The legacy method of modifying a default notification template from the NGFW and Prisma Access Setup page is no longer available. Instead, you can now use the new End User Coaching page (ConfigurationEnd User Coaching) to modify default notification templates and to create additional templates. If you configured notifications by using the legacy method, you must now configure new templates and associate them with DLP rules as described in the following instructions.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    • Prisma Access license with one of the following agents:
      • GlobalProtect
      • Prisma Access Agent
    • One of the following DLP licenses.
      • Enterprise Data Loss Prevention (E-DLP) license
      • Endpoint DLP license
      • Prisma Access CASB license
      • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
    End User Coaching allows you to display notifications to your users when they generate an Enterprise Data Loss Prevention (E-DLP) or Endpoint DLP incident. To display notifications to your users, you modify or create a notification template from the End User Coaching page (ConfigurationEnd User Coaching). You can choose between two notification types to match the severity of each event. Modal pop-ups require users to acknowledge a policy event before continuing their work, while Toast banners appear briefly and auto-dismiss after 30 seconds for lower-priority coaching. You can also configure the template to display notifications in the user's native language and to enable users to requests exemptions from the notification.
    When you modify an Enterprise DLP rule or create an endpoint DLP rule, you can enable end-user notifications for the rule and associate a notification template with the rule. When a user action triggers an incident based on the DLP rule, the user will be notified that they attempted an action that is disallowed. If the DLP notification template has exemption requests enabled, the user can request an exemption directly from the notification.
    Access Experience User Interface displays only one notification per DLP incident in a 30 second period regardless of how many times the user generates the same incident. For example, a user attempts to upload a file containing sensitive data to the Box Web app and Enterprise DLP blocks the upload. The user then immediately tries to upload the same file 5 more times but is blocked each time. In this case only one Access Experience alert is generated even though the user was blocked from uploading a file containing sensitive date to the Box Web app 6 total times.

    Set Up End User Coaching for Enterprise DLP

    Create an end user notification template to generate a notification in Access Experience User Interface for a user when they generate an Enterprise Data Loss Prevention (E-DLP) incident.
    1. Review the Setup Prerequisites for End User Coaching to ensure you're running the minimum required agent, endpoint software, and Enterprise DLP plugin versions to display notifications.
    2. Contact your Palo Alto Networks representative to enable End User Coaching on your tenant.
    3. Install the GlobalProtect app or Prisma Access Agent.
      • GlobalProtect—App version 6.2.7 or later on Windows or macOS
      • Prisma Access AgentInstall the Prisma Access Agent on Windows or macOS
    4. Log in to Strata Cloud Manager.
    5. Enable Autonomous DEM.
      • GlobalProtect
        (GlobalProtect only) On Strata Cloud Manager, select ConfigurationNGFW & Prisma AccessConfiguration ScopeGlobalProtectGlobalProtect App and Add App Settings. Configure the required settings to display notifications to your users in the Access Experience UI when they generate a DLP incident.
        (GlobalProtect and Prisma Access Agent) On Strata Cloud Manager, select ConfigurationNGFW & Prisma AccessConfiguration ScopeAccess AgentGlobalProtect App and Add App Settings. Configure the required settings to display notifications to your users in the Access Experience UI when they generate a DLP incident.
        Configure the following required App Configuration settings. Configure the rest of the GlobalProtect settings as needed.
        • Check (enable) Autonomous DEM and GlobalProtect Log Collection for Troubleshooting
        • Select Show Advanced OptionsApp and check (enable) Display ADEM Updates Notification Message
        • Select Show Advanced OptionsUser Behavior and for the DEM for Prisma Access (Windows and Mac Only) setting, select Install and User Can’t Enable or Disable DEM
        • Select Show Advanced OptionsUser Behavior and for the DEM for Prisma Access version 6.3 and above (Windows and Mac Only) setting, select Install the Agent
      • Prisma Access Agent
        On Strata Cloud Manager, select ConfigurationNGFW & Prisma AccessConfiguration ScopeAccess AgentPrisma Access Agent and Add Agent Settings. Configure the required settings to display notifications to your users in the Access Experience UI when they generate a DLP incident.
        Configure the following required App Configuration settings. Configure the rest of the Prisma Access Agent settings as needed.
        • Access Experience—Select Install.
        • Display ADEM Update Notification—Check Enable.
    6. (macOS only) In the Access Experience UI, select SettingsNotifications and enable Allow notifications.
      You must enable this setting in the Access Experience UI for each user and is required to display notifications when the user generates a DLP incident. Configure the rest of the Access Experience notifications settings as needed.
    7. Configure Enterprise DLP.
      1. Create a decryption profile and policy rule.
        Enterprise DLP requires a decryption rule to decrypt and inspect traffic for sensitive data.
      2. Create custom data patterns to define your match criteria.
        Alternatively, you can use the predefined data patterns instead of creating custom data patterns.
      3. Create a data profile and add your data patterns.
        Only custom data profiles are supported. By default, all predefined DLP Rules' Action are set to Alert. You must clone the predefined data profile to edit the DLP rule Action.
    8. Create or modify a Network DLP notification template.
      A notification template defines the format of the coaching notification that will be displayed to end users when they generate an incident. Using the template, you can specify the contents of the notification message for sensitive file or non-file upload or download actions. You can also enable localization in the template to send notifications in each user’s preferred language.
      1. Log in to Strata Cloud Manager.
      2. Select ConfigurationEnd User Coaching.
        The End User Coaching page list the available notification templates. The Product Type column identifies the available Network DLP templates, including the default Network DLP template. You can edit any of these templates, or create a new template. You can also copy a notification template as a starting point for a new template.
      3. On the End User Coaching page complete one of the following actions:
        • To Create a new notification template, select the action to Create New.
        • To copy a notification template as a starting point for a new template, locate the template in the list and, from the Actions column, click the copy icon.
        • To edit a notification template, locate the template in the list and, from the Actions column, click the edit icon.
      4. Edit the fields of the notification template.
        1. Enter a Template Name and a Template Description to explain the purpose of the notification.
        2. For the Product Name, select NETWORK_DLP.
        3. (Optional) If you want the message to display in the end user's preferred language, complete the following steps.
          1. Toggle the Allow for Language Localization setting to the on position.
          2. Select the languages you want to support.
          3. Apply your selected languages to the template.
          Notifications will display based on the individual user's device language, if you applied that language to the template. Otherwise the notification will display in English.
        4. Specify notification text for one or more security event types.
          You can specify coaching notifications for the following types of security events:
          • An attempt to upload or download a file containing sensitive data.
          • An attempt to upload or download sensitive data in non-file based traffic.
          For each event type, complete the following steps:
          1. Toggle the Enable Agent Notification setting to the on position.
          2. Specify a Notification Title that users receive when Enterprise DLP blocks the transfer of sensitive data. For example, Sensitive Data Transfer Detected.
          3. Define the Notification Message that users receive when Enterprise DLP blocks the transfer of sensitive data.
            You can use the following variables in your message templates. Include the brackets for each variable.
            • (File incidents only) [file name]—The name of the file containing sensitive data blocked by Enterprise DLP.
            • [app name]—The application that the user attempted to upload to, download from, or post non-file based content.
            • (File incidents only) [direction]—Specifies whether Enterprise DLP blocked a file upload or download.
            • [action]—The action that Enterprise DLP took when sensitive data was detected. This value is always Blocked.
          4. Select one of the following notification display types:
            • Toast—The notification will disappear automatically without requiring user interaction. When you select this option, you can also select the screen location where the toast notification will appear.
            • Modal—The notification must be manually dismissed by the user.
          5. (File incidents only) If you want the user to be able to bypass security policies for legitimate business needs, toggle the Enable Exemption Request setting to the on position.
            If the template has this setting enabled, users can request an exception for their file upload or download request. If the display type is Modal, the user can also specify the reason they are requesting an exemption.
            1. Specify whether Enterprise DLP will grant exemption requests automatically or will send the exemption request to an incident responder for approval.
            2. Specify the number of days that Enterprise DLP will allow the exemption before the user must re-request the exemption. The maximum period is 365 days.
      5. Show Preview to see how the coaching notification will appear to the user. If you applied additional languages to the template, select the respective language tabs on the preview to verify the translation and to make changes as needed.
      6. Save the Network DLP notification template.
    9. Modify a DLP rule to enable end user notification for the rule and to select the notification template for the rule.
      When a user action triggers an incident based on the DLP rule, the notification displayed to the user will be based on the notification template.
    10. The user who generated the Enterprise DLP incident can view the Data Security notification for more information about the sensitive data uploaded, downloaded, or posted.
      A Data Security notification is displayed for seven days. There is no limit to the number of notifications displayed.

    End User Coaching for Endpoint DLP

    Create an end user notification template to generate a notification in Access Experience User Interface for a user when they generate an Endpoint DLP incident.
    1. Review the Setup Prerequisites for End User Coaching to ensure you're running the minimum required agent, endpoint software, and Enterprise DLP plugin versions to display notifications.
    2. Contact your Palo Alto Networks representative to enable End User Coaching on your tenant.
    3. Install the Prisma Access Agent on Windows or macOS.
    4. Log in to Strata Cloud Manager.
    5. Enable Autonomous DEM.
      On Strata Cloud Manager, select ConfigurationNGFW & Prisma AccessConfiguration ScopeAccess AgentPrisma Access Agent and Add Agent Settings. Configure the required settings to display notifications to your users in the Access Experience UI when they generate a DLP incident.
      Configure the following required App Configuration settings. Configure the rest of the Prisma Access Agent settings as needed.
      • Access Experience—Select Install.
      • Display ADEM Update Notification—Check Enable.
    6. (macOS only) In the Access Experience UI, select SettingsNotifications and enable Allow notifications.
      This setting must be enabled in the Access Experience UI for each user and is required to display notifications when the user generates a DLP incident. Configure the rest of the Access Experience notifications settings as needed.
    7. Configure Enterprise DLP.
      1. Create a decryption profile and policy rule.
        Enterprise DLP requires a decryption rule to decrypt and inspect traffic for sensitive data.
      2. Create custom data patterns to define your match criteria.
        Alternatively, you can use the predefined data patterns instead of creating custom data patterns.
      3. Create a data profile and add your data patterns.
        Only custom data profiles are supported. By default, all predefined DLP rules' Action are set to Alert. You must clone the predefined data profile to edit the DLP rule Action.
      4. Set up Endpoint DLP.
        1. Add a Peripheral.
        2. Create a Peripheral Group.
    8. Create an Endpoint DLP notification template.
      The notification template defines the format of the coaching notification that will be displayed to end users when they generate an incident. Using the template, you can specify the contents of the notification message that is displayed when an Endpoint DLP policy rule blocks access to a peripheral device or blocks the transfer of sensitive files to a peripheral device. You can also enable localization in the template to send notifications in each user’s preferred language.
      1. Select ConfigurationEnd User Coaching.
      2. On the End User Coaching page, select the action to Create New notification template.
      3. Fill out the fields of the notification template.
        1. Enter a Template Name and a Template Description to explain the purpose of the notification.
        2. For the Product Name, select ENDPOINT_DLP.
        3. (Optional) If you want the message to display in the end user's preferred language, complete the following steps.
          1. Toggle the Allow for Language Localization setting to the on position.
          2. Select the languages you want to support.
          3. Apply your selected languages to the template.
          Notifications will display based on the individual user's device language, if you applied that language to the template. Otherwise the notification will display in English.
        4. Specify notification text for one or more security event types.
          You can specify coaching notifications for the following types of security events:
          • An attempt to transfer a file containing sensitive data to a peripheral device
          • An attempt to access a restricted peripheral device
          For each event type, complete the following steps:
          1. Toggle the Enable Agent Notification setting to the on position.
          2. Specify a Notification Title that users receive when Enterprise DLP blocks the transfer of sensitive data. For example, Sensitive Data Transfer Detected.
          3. Define the Notification Message that users receive when Enterprise DLP blocks the transfer of sensitive data.
            You can use the following variables in your message templates. Include the brackets for each variable.
            • (File transfer incidents only) [File Name]—File name and extension containing sensitive data blocked by Enterprise DLP.
            • (File transfer incidents only) [Transfer Method]—The type of file action the user attempted, such as an upload or download action.
            • [Peripheral Type]—Type of peripheral device associated with the Endpoint DLP incident.
            • [Peripheral Name]—Name of the peripheral device associated with the Endpoint DLP incident.
            • [Action]—Action Enterprise DLP took when sensitive data was detected. This value is always Blocked.
            • [Policy Name]—Name of the Endpoint DLP policy rule against which the Endpoint DLP incident was generated.
          4. Select one of the following notification display types:
            • Toast—The notification will disappear automatically without requiring user interaction. When you select this option, you can also select the screen location where the toast notification will appear.
            • Modal—The notification must be manually dismissed by the user.
          5. (File transfer incidents only) If you want the user to be able to bypass security policies for legitimate business needs, toggle the Enable Exemption Request setting to the on position.
            If the template has this setting enabled, users can request an exception for their file upload or download request. If the display type is Modal, the user can also specify the reason they are requesting an exemption.
            1. Specify whether Enterprise DLP will grant exemption requests automatically or will send the exemption request to an incident responder for approval.
            2. Specify the number of days that Enterprise DLP will allow the exemption before the user must re-request the exemption. The maximum period is 365 days.
      4. Show Preview to see how the coaching notification will appear to the user. If you applied additional languages to the template, select the respective language tabs on the preview to verify the translation and to make changes as needed.
      5. Save the Endpoint DLP notification template.
    9. Create an Endpoint DLP Policy Rule to enable end user notification for the rule and to select the notification template for the rule.
      When a user action triggers an incident based on the DLP rule, the notification displayed to the user will be based on the notification template.
    10. The user who generated the Endpoint DLP incident can view the Data Security notification for more information about the sensitive data uploaded, downloaded, or posted.
      A Data Security notification is displayed for 7 days. There is no limit to the number of notifications displayed.

    Request an End User Coaching Exemption

    Request an exemption for traffic that generated an incident.
    To notify users when they trigger a data protection incident, you can enable exemption requests within a DLP notification template. When you modify an Enterprise DLP rule or create an endpoint DLP rule, you can enable end-user notifications for the rule and associate the notification template with the rule. When a user action triggers an incident based on the DLP rule, the user will be notified that they attempted an action that is disallowed. If the DLP notification template has exemption requests enabled, the user can request an exemption directly from the notification.
    1. In the displayed notification, specify why you are requesting the exemption and click Request Exemption.
      Depending on the notification template, the request is either granted automatically or an administrator can review the incident and your exemption request to decide whether to grant your request.
      If your exemption request is granted, another notification message displays to let you know that you can continue with your task.
    2. (Optional) In the exemption request approval notification, click Review in Access Experience.
      Access Experience opens to the Notification History page, which shows information about the security incident and your exemption request. This information includes the validity period for the exemption.

    Review an End User Coaching Exemption

    Data security administrators can review an exemption for traffic that generated an Alert or Block DLP incident using End User Coaching to allow or deny an exemption for the end user.
    1. Log in to Strata Cloud Manager.
    2. Select ConfigurationData Loss PreventionDLP Incidents and review your Enterprise DLP incidents.
    3. In the Incidents list, review the Response Status column and locate the DLP incidents with an Exception requested.
    4. Click the Incident ID for the DLP incident to view the incident details.
    5. The Response Management section displays the following information.
      • Request Date—Date end user requested an exemption from the DLP rule that blocked a file upload.
        Format is YYYY-Month-DD HH:MM:SS UTC.
      • Requested By—User-ID for the end user that requested the exemption. User-ID derived from GlobalProtect or Prisma Access Agent user mapping.
    6. In the Response Management section, respond to the exemption request.
      • Approve—Grants the end user an exemption for the specific traffic that generated the DLP incident. The end user can now reattempt the traffic that generated the DLP incident.
      • Deny—Denies the end user an exemption for the specific traffic that generated the DLP incident.
      • No Change—Selected by default when an end user requests an exemption but the exemption has not been approved or denied by an admin.
    7. Save.

    © 2026 Palo Alto Networks, Inc. All rights reserved.