>
    Strata Copilot
    Set Up End User Coaching for Enterprise DLP
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Administration
    4. Monitor Enterprise DLP
    5. End User Coaching
    6. Set Up End User Coaching for Enterprise DLP
    Download PDF
    Enterprise DLP

    Set Up End User Coaching for Enterprise DLP

    Table of Contents

    Set Up End User Coaching for Enterprise DLP

    Create an end user notification template to generate a notification in Access Experience User Interface for a user when they generate an Enterprise Data Loss Prevention (E-DLP) incident.
    1. Review the Setup Prerequisites for End User Coaching to ensure you're running the minimum required agent, endpoint software, and Enterprise DLP plugin versions to display notifications.
    2. Contact your Palo Alto Networks representative to enable End User Coaching on your tenant.
    3. Install the GlobalProtect app or Prisma Access Agent.
      • GlobalProtect—App version 6.2.7 or later on Windows or macOS
      • Prisma Access AgentInstall the Prisma Access Agent on Windows or macOS
    4. Log in to Strata Cloud Manager.
    5. Enable Autonomous DEM.
      • GlobalProtect
        (GlobalProtect only) On Strata Cloud Manager, select ConfigurationNGFW & Prisma AccessConfiguration ScopeGlobalProtectGlobalProtect App and Add App Settings. Configure the required settings to display notifications to your users in the Access Experience UI when they generate a DLP incident.
        (GlobalProtect and Prisma Access Agent) On Strata Cloud Manager, select ConfigurationNGFW & Prisma AccessConfiguration ScopeAccess AgentGlobalProtect App and Add App Settings. Configure the required settings to display notifications to your users in the Access Experience UI when they generate a DLP incident.
        Configure the following required App Configuration settings. Configure the rest of the GlobalProtect settings as needed.
        • Check (enable) Autonomous DEM and GlobalProtect Log Collection for Troubleshooting
        • Select Show Advanced OptionsApp and check (enable) Display ADEM Updates Notification Message
        • Select Show Advanced OptionsUser Behavior and for the DEM for Prisma Access (Windows and Mac Only) setting, select Install and User Can’t Enable or Disable DEM
        • Select Show Advanced OptionsUser Behavior and for the DEM for Prisma Access version 6.3 and above (Windows and Mac Only) setting, select Install the Agent
      • Prisma Access Agent
        On Strata Cloud Manager, select ConfigurationNGFW & Prisma AccessConfiguration ScopeAccess AgentPrisma Access Agent and Add Agent Settings. Configure the required settings to display notifications to your users in the Access Experience UI when they generate a DLP incident.
        Configure the following required App Configuration settings. Configure the rest of the Prisma Access Agent settings as needed.
        • Access Experience—Select Install.
        • Display ADEM Update Notification—Check Enable.
    6. (macOS only) In the Access Experience UI, select SettingsNotifications and enable Allow notifications.
      You must enable this setting in the Access Experience UI for each user and is required to display notifications when the user generates a DLP incident. Configure the rest of the Access Experience notifications settings as needed.
    7. Configure Enterprise DLP.
      1. Create a decryption profile and policy rule.
        Enterprise DLP requires a decryption rule to decrypt and inspect traffic for sensitive data.
      2. Create custom data patterns to define your match criteria.
        Alternatively, you can use the predefined data patterns instead of creating custom data patterns.
      3. Create a data profile and add your data patterns.
        Only custom data profiles are supported. By default, all predefined DLP Rules' Action are set to Alert. You must clone the predefined data profile to edit the DLP rule Action.
    8. Create or modify a Network DLP notification template.
      A notification template defines the format of the coaching notification that will be displayed to end users when they generate an incident. Using the template, you can specify the contents of the notification message for sensitive file or non-file upload or download actions. You can also enable localization in the template to send notifications in each user’s preferred language.
      1. Log in to Strata Cloud Manager.
      2. Select ConfigurationEnd User Coaching.
        The End User Coaching page list the available notification templates. The Product Type column identifies the available Network DLP templates, including the default Network DLP template. You can edit any of these templates, or create a new template. You can also copy a notification template as a starting point for a new template.
      3. On the End User Coaching page complete one of the following actions:
        • To Create a new notification template, select the action to Create New.
        • To copy a notification template as a starting point for a new template, locate the template in the list and, from the Actions column, click the copy icon.
        • To edit a notification template, locate the template in the list and, from the Actions column, click the edit icon.
      4. Edit the fields of the notification template.
        1. Enter a Template Name and a Template Description to explain the purpose of the notification.
        2. For the Product Name, select NETWORK_DLP.
        3. (Optional) If you want the message to display in the end user's preferred language, complete the following steps.
          1. Toggle the Allow for Language Localization setting to the on position.
          2. Select the languages you want to support.
          3. Apply your selected languages to the template.
          Notifications will display based on the individual user's device language, if you applied that language to the template. Otherwise the notification will display in English.
        4. Specify notification text for one or more security event types.
          You can specify coaching notifications for the following types of security events:
          • An attempt to upload or download a file containing sensitive data.
          • An attempt to upload or download sensitive data in non-file based traffic.
          For each event type, complete the following steps:
          1. Toggle the Enable Agent Notification setting to the on position.
          2. Specify a Notification Title that users receive when Enterprise DLP blocks the transfer of sensitive data. For example, Sensitive Data Transfer Detected.
          3. Define the Notification Message that users receive when Enterprise DLP blocks the transfer of sensitive data.
            You can use the following variables in your message templates. Include the brackets for each variable.
            • (File incidents only) [file name]—The name of the file containing sensitive data blocked by Enterprise DLP.
            • [app name]—The application that the user attempted to upload to, download from, or post non-file based content.
            • (File incidents only) [direction]—Specifies whether Enterprise DLP blocked a file upload or download.
            • [action]—The action that Enterprise DLP took when sensitive data was detected. This value is always Blocked.
          4. Select one of the following notification display types:
            • Toast—The notification will disappear automatically without requiring user interaction. When you select this option, you can also select the screen location where the toast notification will appear.
            • Modal—The notification must be manually dismissed by the user.
          5. (File incidents only) If you want the user to be able to bypass security policies for legitimate business needs, toggle the Enable Exemption Request setting to the on position.
            If the template has this setting enabled, users can request an exception for their file upload or download request. If the display type is Modal, the user can also specify the reason they are requesting an exemption.
            1. Specify whether Enterprise DLP will grant exemption requests automatically or will send the exemption request to an incident responder for approval.
            2. Specify the number of days that Enterprise DLP will allow the exemption before the user must re-request the exemption. The maximum period is 365 days.
      5. Show Preview to see how the coaching notification will appear to the user. If you applied additional languages to the template, select the respective language tabs on the preview to verify the translation and to make changes as needed.
      6. Save the Network DLP notification template.
    9. Modify a DLP rule to enable end user notification for the rule and to select the notification template for the rule.
      When a user action triggers an incident based on the DLP rule, the notification displayed to the user will be based on the notification template.
    10. The user who generated the Enterprise DLP incident can view the Data Security notification for more information about the sensitive data uploaded, downloaded, or posted.
      A Data Security notification is displayed for seven days. There is no limit to the number of notifications displayed.

    © 2026 Palo Alto Networks, Inc. All rights reserved.