Firewalls are typically used to prevent hackers, or malicious actors from accessing your internal network. In addition, they are also utilized to filter Internet access to unapproved websites from within the internal network; however, that is not always the case when the machine is taken off the network. While they are able to see network traffic traversing the perimeter via firewall logs, and are likely to block website access, a perimeter firewall is unable to see the context of activities or any activity that is occurring solely within the network, leaving your educational institution vulnerable.
Firewalls therefore do not provide sufficient protection for a multitude of vulnerabilities within your network. User Activity monitoring fills these gaps by continuously monitoring users for signs of risk