The error "Kerio Control Web Filter is not activated / categorization is disabled"
typically occurs when the system cannot verify the reliability of its categorization service or if the required license has expired Common Causes & Solutions License Expiry Kerio Control Web Filter is an optional module that requires a special license. If you are in a trial period
, the module is automatically disabled after 30 days, making categorization options unavailable. : Verify your license status on the Kerio Control Dashboard Reliability Detection Failure
: Kerio Control sends automatic DNS check queries to its update servers. If it fails to receive a response 10 times in a row within one minute, it marks the Web Filter as "not reliable" and disables categorization. Temporary Fix
: The system usually attempts to revert to normal operation after one hour. Manual Fix (via SSH)
: You can disable the reliability check manually by logging into the Kerio Control console and running these commands: cd /opt/kerio/winroute ./tinydbclient "update SiteFilter set DetectReliability=0" /etc/boxinit.d/60winroute restart Use code with caution. Copied to clipboard DNS & Connection Issues
: Categorization is handled by an external service (Zvelo). If your DNS settings (like using Google's DNS) interfere with reaching *.zvelo.com , the filter may fail. Cloudflare (1.1.1.1) as custom DNS forwarding servers GFI Support How to Re-enable the Web Filter
If the license and connection are valid, ensure the setting is actually checked in the UI: Kerio Control Administration interface Navigate to Content Filter Applications and Web Categories Enable Kerio Control Web Filter GFI Support SSH commands to check your current license status or verify Zvelo server connectivity Using Kerio Control Web Filter - KerioControl - GFI
When your Kerio Control Web Filter displays a "not activated" status or states that "categorization is disabled," it usually stems from a connectivity failure between your firewall and the Zvelo categorization servers.
If a simple restart doesn't fix it, follow these steps to restore functionality: 1. Resolve Connectivity & Reliability Issues
Kerio Control will disable the Web Filter if it fails to receive a DNS response from update servers 10 times in a row. This is a safety mechanism to prevent network hangs when the filter isn't "reliable."
Temporary Fix: Restart the Kerio Control appliance to restore immediate internet access.
Permanent Fix (via SSH): To prevent future automatic disabling, you must disable the DetectReliability feature: Access the Kerio Control shell via SSH. Navigate to the directory: cd /opt/kerio/winroute.
Execute this command to disable reliability detection:./tinydbclient "update SiteFilter set DetectReliability=0". Restart the engine: /etc/boxinit.d/60winroute restart. 2. Update DNS Forwarding Servers
If you are using Google's DNS (8.8.8.8), you might encounter "Invalid Authorization" errors because Zvelo key tokens expire every 21 days and may fail to refresh through these servers.
Solution: Change your custom DNS forwarding servers for *.zvelo.com to Cloudflare (1.1.1.1) or OpenDNS (208.67.222.222).
Action: Update these settings in Configuration > DNS, then reboot the appliance. 3. Verify License & Activation Status The error "Kerio Control Web Filter is not
The Web Filter requires a specific active license module. If your core license is valid but the filter is "not activated," it may be a module-specific expiration.
Check Status: Go to the Dashboard in the Kerio Control Administration interface to verify the license expiration date.
Re-enable Manually: Sometimes the filter just needs to be toggled:
Navigate to Content Filter > Applications and Web Categories. Uncheck and re-check Enable Kerio Control Web Filter. Click Apply. 4. Advanced Troubleshooting: HTTPS & Wildcards
If specific sites still aren't being categorized correctly or are blocked despite being whitelisted:
Enable HTTPS Decryption: The filter cannot categorize encrypted traffic without HTTPS decryption enabled under Content Filter > HTTPS Filtering.
Wildcard Handling: If you whitelist a domain, ensure you use a trailing wildcard (e.g., *.domain.com/*) to capture all sub-paths. Using Kerio Control Web Filter
This report addresses the issue where the Kerio Control Web Filter is reported as "not activated" or "categorization is disabled," causing internet connectivity issues or a failure to apply content filtering rules. 1. Diagnosis & Root Causes Web Filter Service Failure (Zvelo):
Kerio Control uses Zvelo to categorize websites. If the service fails to get updates, it disables categorization. DNS Resolution Issues: Web Filter needs to reach *.zvelo.com
URLs. If custom DNS servers (like Google 8.8.8.8) are slow, it can trigger a "DNS response timeout". Expired License:
Subscription renewal is necessary for Web Filter to function. Corrupted/Invalid Authorization: Expired Zvelo token (expires every 21 days) or corrupted winroute.cfg support.keriocontrol.gfi.com 2. Immediate Workarounds & Fixes A. Fix DNS and Connectivity Change DNS Servers: Ensure your DNS servers are robust. Cloudflare ( ) or OpenDNS ( 208.67.222.222 ) are recommended for better *.zvelo.com resolution. Restart Kerio Control: A simple reboot often restores functionality. support.keriocontrol.gfi.com B. Fix "Categorization is Disabled" via SSH
If the filter stays disabled, manually reset the reliability detection, which might be wrongly flagging the filter as "not working." Login via SSH:
Connect to the Kerio Control console using a tool like PuTTY. Run Commands: cd /opt/kerio/winroute ./tinydbclient "update SiteFilter set DetectReliability=0" /etc/boxinit.d/60winroute restart Use code with caution. Copied to clipboard
This disables the reliability check that turns off the filter after DNS issues. support.keriocontrol.gfi.com C. Fix "Invalid Authorization" (Expired Token) If logs show DNS response 'FAILURE: Invalid authorization' , update the winroute.cfg to ensure the correct Zvelo server is used: Access Configuration: Access the configuration file winroute.cfg through SSH. Verify URL: DiaServerUrl v4.url.zvelo.com Reboot the machine after verifying. support.keriocontrol.gfi.com 3. Verification & Activation Activate/Re-enable: Content Filter > Applications and Web Categories and verify "Enable Kerio Control Web Filter" is checked. Check Licenses: Verify the Subscription/License validity on the Dashboard. Check Logs: Review the Security log for errors related to categorization. GFI Support 4. Long-Term Solutions Verify Subscription: Contact GFI Sales if the license is expired. Check Disk Space:
A "cannot load new license file" error often results from a full disk. Clear cache files if necessary. Use URL Whitelist: If a site is blocked incorrectly, use the Content Filter > Applications and Web Categories > Add feature to whitelist it directly. support.keriocontrol.gfi.com Using Kerio Control Web Filter
The error message "Kerio Control Web Filter is not activated, categorization is disabled" Go to Status > Interfaces
typically occurs when the Kerio Control firewall fails to reach the external categorization servers (zvelo) for 10 consecutive attempts within one minute
. This triggers a "not reliable" status, causing the web filter to disable itself to prevent blocking legitimate traffic due to a lack of data. support.keriocontrol.gfi.com Direct Solutions Wait for Automatic Reversion
: In many cases, Kerio Control will automatically attempt to revert to normal operation after if the connection is restored. SSH Fix (Manual Reset)
: If the filter remains disabled, you can manually reset the detection status via the SSH console: Login to the Kerio Control console via Navigate to the directory: cd /opt/kerio/winroute Run the command: ./tinydbclient "update SiteFilter set DetectReliability=0" Restart the service: /etc/boxinit.d/60winroute restart Adjust DNS Settings
: This error often stems from DNS issues or expired authorization tokens. It is recommended to use Cloudflare (1.1.1.1) (208.67.222.222) as custom DNS servers for the *.zvelo.com domain to ensure reliable categorization traffic. support.keriocontrol.gfi.com Potential Root Causes License Expiration
: The Web Filter requires a special license. If the license has expired or the trial period (30 days) has ended, the categorization options will be unavailable. Connectivity Failures
: High latency or a slow internet link can prevent the system from reaching the update servers. Expired Authorization Tokens
: Zvelo key tokens expire every 21 days; if they fail to refresh from Kerio's internal servers, authorization will fail. support.keriocontrol.gfi.com Checking Filter Status
To verify if the filter is correctly enabled once connectivity is restored: Navigate to Content Filter Applications and Web Categories Enable Kerio Control Web Filter is checked. to save changes. GFI Support SSH commands
for a different version of Kerio Control, or help checking your license status in the GFI portal? Technical Support Specialist Systems Administrator Using Kerio Control Web Filter
Troubleshooting Kerio Control: Web Filter Not Activated & Categorization Disabled
When the Kerio Control Web Filter displays a "Not Activated" status and categorization is disabled, your network loses its primary defense against malicious and inappropriate web content. This issue typically stems from licensing lapses, DNS resolution failures, or expired communication tokens with the Zvelo categorization service. Primary Causes for Activation Issues
Understanding why the filter is disabled is the first step toward a fix. Common triggers include:
Trial Period Expiration: The Kerio Control Web Filter is an optional module. If not licensed, it functions as a 30-day trial and automatically disables itself afterward.
DNS Reliability Failures: Kerio Control sends automatic DNS check queries to its update servers. If these fail 10 times in a row within one minute, the system deems the filter unreliable and disables categorization.
Expired Authorization Tokens: Kerio uses Zvelo for website categorization. The security tokens for this service expire every 21 days. If they fail to renew—often due to custom DNS settings—the filter will show as "not activated". Step-by-Step Solutions 1. Verify License and Enable the Filter Check: Go to Administration Console >
Before technical troubleshooting, ensure the module is active in the software interface. Log in to the Kerio Control Administration interface.
Navigate to Content Filter > Applications and Web Categories. Ensure Enable Kerio Control Web Filter is checked.
Click Apply. If the options are greyed out, your license for this specific module may have expired or is not included in your current subscription. 2. Resolve "Invalid Authorization" (Zvelo Tokens)
If you see "Invalid authorization" errors in your logs, the issue is likely with the Zvelo token renewal.
Check DNS Forwarders: It is highly recommended to use Cloudflare (1.1.1.1) or OpenDNS (208.67.222.222) as custom DNS servers for *.zvelo.com URLs.
Manual Reset via SSH: If the token won't refresh, you may need to reset it using the Kerio Control Console. Connect via SSH. Navigate to /opt/kerio/winroute.
Verify the DiaServerUrl value is set to v4.url.zvelo.com in the winroute.cfg file. 3. Disable Reliability Detection
If your Internet connection is slow or your ISP has unstable DNS, Kerio might disable the filter prematurely. You can disable this "safety" check via SSH: Log in to the console via SSH.
Execute the command: ./tinydbclient "update SiteFilter set DetectReliability=0".
Restart the service using: /etc/boxinit.d/60winroute restart. 4. Check for Proxy Conflicts
Note that Application Awareness (which relies on the Web Filter) does not work if a non-transparent proxy server is enabled in Kerio Control. Ensure your Proxy Settings are configured to be transparent if you require full categorization. Testing Your Fix Once you have applied these changes, verify the status: Go to Content Filter > Applications and Web Categories. Use the Test URL tool.
Enter a known URL (e.g., google.com) and verify that a category is returned instead of an error.
For further detailed instructions, refer to the GFI Kerio Control Support Guide. Using Kerio Control Web Filter - KerioControl - GFI
Before fixing the issue, you must understand what is happening under the hood.
Kerio Control does not simply block URLs via a static list. It uses a dynamic cloud categorization service. When a user requests facebook.com, Kerio Control sends a hash of that domain to GFI’s cloud servers. The servers reply with a category (e.g., "Social Networking"). Your firewall then applies the rule (e.g., "Block Social Networking").
The error "categorization is disabled" means the firewall cannot communicate with GFI’s cloud or the local licensing module that enables that feature. The error "web filter is not activated" usually means the license key does not include the Web Filter module or the service has crashed.
Kerio Control needs to "phone home" to the categorization servers (typically webfilter.kerio.com or similar endpoints) to download category lists.
ping google.comThe most common reason for categorization being disabled is a licensing issue. The "Kerio Control Web Filter" (formerly Sophos or integrated categorization) requires an active subscription.