The error “Kerio Control Web Filter is not activated. Categorization is disabled.” typically indicates a licensing, connectivity, or service state issue. Following the diagnostic and resolution steps above will restore category-based web filtering. If unresolved, contact GFI/Kerio support with debug logs and license file details.
The error message "Kerio Control Web Filter is not activated, categorization is disabled" typically occurs because the firewall has failed to reach the external categorization servers (zvelo.com) multiple times, causing it to mark the service as unreliable and disable it. Immediate Fixes
Wait 1 Hour: Kerio Control is designed to automatically attempt to revert to normal operation after one hour of the error occurring.
DNS Verification: Ensure your firewall can resolve external domains. It is recommended to use Cloudflare (1.1.1.1) or OpenDNS (208.67.222.222) as custom DNS servers for *.zvelo.com URLs to avoid authorization failures.
Check License Status: If your Kerio Control or Web Filter subscription has expired, the web filter will be automatically disabled. You can check this in the Dashboard or License section of the GFI administration interface. Technical Workaround (SSH)
If the web filter remains disabled after an hour and DNS settings are correct, you can manually reset the reliability detection via SSH: Connect via SSH to your Kerio Control console.
Execute the following commands to disable the reliability check and restart the service:
cd /opt/kerio/winroute ./tinydbclient "update SiteFilter set DetectReliability=0" /etc/boxinit.d/60winroute restart Use code with caution. Copied to clipboard
Note: This forces the filter to stay active even if it has trouble reaching the update servers. Configuration Check
Navigate to Content Filter > Applications and Web Categories. Ensure Enable Kerio Control Web Filter is checked.
Verify that you have at least one Content Rule active that requires categorization; the filter often only "activates" when a rule is processing traffic. Using Kerio Control Web Filter - KerioControl - GFI
This error indicates that Kerio Control cannot verify its license or reach the categorization servers, typically due to DNS timeouts license expiration support.keriocontrol.gfi.com Quick Fixes Check DNS Forwarders : Use reliable DNS servers like Cloudflare (1.1.1.1) or
(208.67.222.222). Avoid using Google DNS (8.8.8.8) for Zvelo lookups as it can cause authorization failures support.keriocontrol.gfi.com Restart the System
: Rebooting Kerio Control often restores the link to the update servers support.keriocontrol.gfi.com Verify License
: Ensure your Kerio Control Web Filter license is active. Without it, the module disables itself 30 days after installation GFI Support Advanced SSH Resolution
If the error persists despite a stable internet connection, Kerio Control's "Reliability Detection" may have permanently disabled the filter after 10 failed connection attempts support.keriocontrol.gfi.com . You can reset this via support.keriocontrol.gfi.com Log in to Kerio Control via SSH (e.g., using support.keriocontrol.gfi.com Navigate to the directory cd /opt/kerio/winroute Disable Reliability detection and reset the timers: ./tinydbclient "update SiteFilter set DetectReliability=0" Restart the engine /etc/boxinit support.keriocontrol.gfi.com Configuration Check In the administration interface, go to Content Filter Applications and Web Categories support.keriocontrol.gfi.com Enable Kerio Control Web Filter is checked GFI Support If a specific site is still blocked erroneously, use the The error “Kerio Control Web Filter is not activated
feature in this same tab to report the miscategorization to Zvelo support.keriocontrol.gfi.com
Does your current license show as active under the Dashboard/Status section? Using Kerio Control Web Filter
The error message "Kerio Control Web Filter is not activated; categorization is disabled" typically occurs when the firewall cannot reach its external categorization servers or has encountered a licensing/authorization failure. This issue is a common pain point for administrators using the GFI Kerio Control Unified Threat Management (UTM) solution. Core Issue Overview
The Kerio Control Web Filter relies on a third-party service called Zvelo to categorize URLs. When the filter shows as "not activated," it means the local Kerio appliance is unable to verify categories for websites, effectively disabling content-based blocking rules. Common Root Causes
DNS Failures: Kerio Control performs automatic DNS health checks. If 10 consecutive queries fail within one minute, the system marks the Web Filter as "not reliable" and disables it.
Invalid Authorization: This often stems from an expired Zvelo token (which typically expires after 21 days). If the appliance cannot fetch a new token from Kerio’s internal servers, the filter remains inactive.
ISP Restrictions: Some ISPs limit the frequency of DNS requests, which can trigger reliability errors since the web filter makes numerous requests to zvelo.com for categorization. Troubleshooting & Fixes
To resolve this "disabled" state, administrators often use the following official GFI Support steps:
Change DNS Servers: Switch your custom DNS forwarders to stable providers like Cloudflare (1.1.1.1) or OpenDNS (208.67.222.222) specifically for *.zvelo.com traffic.
Disable Reliability Detection: If the filter stays disabled due to minor network blips, you can use SSH to run:./tinydbclient "update SiteFilter set DetectReliability=0"This prevents the system from automatically disabling the filter when it perceives the connection as unreliable.
Manual Activation: Ensure the filter is toggled on under Content Filter > Applications and Web Categories in the administration interface. User Experience Impact
Pros: When active, the filter provides robust, color-coded rule management and automated blocking of malicious sites, ads, and peer-to-peer networks.
Cons: Users report that when the filter is "disabled," the entire security policy for web access may fail open or closed depending on configuration, leading to either security gaps or frustrated users unable to access legit sites.
Are you currently facing this error on a hardware appliance or a virtual machine? Using Kerio Control Web Filter - KerioControl - GFI
DNS Reliability Detection: Kerio Control automatically disables the web filter if it fails to receive DNS responses from update servers 10 times in a row. The error message "Kerio Control Web Filter is
Fix: You can disable this "Reliability detection" via the GFI Support command-line fix to prevent automatic shutdowns during minor connectivity blips.
Expired or Missing License: The Kerio Control Web Filter requires a specific license module. If the license expires or you are using a trial version past 30 days, categorization will be disabled automatically.
DNS Configuration Issues: Using standard public DNS (like Google 8.8.8.8) can sometimes lead to "Invalid Authorization" errors with the classification service.
Fix: It is recommended to use Cloudflare or OpenDNS (208.67.222.222) as custom DNS servers for the *.zvelo.com domains used for categorization.
Guest Network Limitations: If the user is connected through a guest interface, Kerio Control disables the Web Filter for that traffic by default. Managing "Lifestyle and Entertainment" Content
If categorization is working but a specific site in the Lifestyle and Entertainment group is being blocked incorrectly, you can manage this in the Kerio Control Web Filter settings:
Navigate to Content Filter > Applications and Web Categories.
Use the Test URL tool to see if the site is correctly identified.
If miscategorized, you can report it or add the specific URL to the URL Whitelist to bypass the general category block.
Have you checked your Error Logs for "DNS response timeout" or "Invalid Authorization" to see exactly why it's dropping?
Resolving Web Filter Invalid authorization failures - KerioControl
When the Kerio Control Web Filter shows as "not activated" or "categorization is disabled," it typically stems from connectivity failures between the Kerio appliance and its update servers or authorization issues with the third-party categorization service, Zvelo. Common Fixes
Reset Reliability Detection (Recommended Hotfix)Kerio Control automatically disables the Web Filter if it fails to receive a response to DNS check queries 10 times in a row within one minute. To force activation and reset these timers, you can use the SSH console: Access your Kerio Control via SSH. Navigate to the directory: cd /opt/kerio/winroute
Execute the command to disable reliability detection:./tinydbclient "update SiteFilter set DetectReliability=0"
Restart the winroute service: /etc/boxinit.d/60winroute restart. Web Filter activation requires that Kerio Control can
Fix Authorization & DNS IssuesCategorization often fails due to an "Invalid Authorization" error, which usually means the Zvelo key token (valid for 21 days) has expired or cannot be refreshed.
Switch DNS Servers: Avoid using Google's DNS (8.8.8.8) as custom forwarding servers for these requests. Use Cloudflare (1.1.1.1) or OpenDNS (208.67.222.222) instead.
Verify Server URL: Ensure the DiaServerUrl in /opt/kerio/winroute/winroute.cfg is set correctly to v4.url.zvelo.com.
Basic Activation CheckEnsure the module is actually enabled in the UI and that your license is active. The Web Filter is a separate module; if your 30-day trial or specific license has expired, the categorization options will automatically grey out.
Navigate to Content Filter > Applications and Web Categories and check Enable Kerio Control Web Filter.
Have you recently updated your DNS settings or noticed any "Invalid Authorization" logs in your Kerio administration panel?
Web Filter categorization disabled. Serial number: ko-197974
Here’s a useful, troubleshooting-focused article based on the error message:
“Kerio Control Web Filter is not activated – Categorization is disabled”
Web Filter activation requires that Kerio Control can resolve:
Go to Configuration → Network → DNS.
Test resolution from the diagnostics shell:
dig update.gfi.com
Solution: Fix DNS forwarders or bypass internal DNS for Kerio's update domains.
The Kerio Control Web Filter license or its categorization engine is not functioning.
As a result, the system cannot classify websites into categories (e.g., Social Media, Streaming, Malware, Adult Content). Any firewall rule that depends on URL Groups or Category-based filtering will be ignored or will fail to match traffic correctly.
The most frequent cause is a license issue. The Web Filter category database is a premium service.