While categorization is broken, you can still filter by:
But cloud category-based blocking (e.g., “Block Pornography”) will not work until the error is resolved.
The error message "Kerio Control Web Filter is not activated, categorization is disabled" typically occurs because the firewall has failed to reach the external categorization servers (zvelo.com) multiple times, causing it to mark the service as unreliable and disable it. Immediate Fixes
Wait 1 Hour: Kerio Control is designed to automatically attempt to revert to normal operation after one hour of the error occurring.
DNS Verification: Ensure your firewall can resolve external domains. It is recommended to use Cloudflare (1.1.1.1) or OpenDNS (208.67.222.222) as custom DNS servers for *.zvelo.com URLs to avoid authorization failures.
Check License Status: If your Kerio Control or Web Filter subscription has expired, the web filter will be automatically disabled. You can check this in the Dashboard or License section of the GFI administration interface. Technical Workaround (SSH)
If the web filter remains disabled after an hour and DNS settings are correct, you can manually reset the reliability detection via SSH: Connect via SSH to your Kerio Control console.
Execute the following commands to disable the reliability check and restart the service:
cd /opt/kerio/winroute ./tinydbclient "update SiteFilter set DetectReliability=0" /etc/boxinit.d/60winroute restart Use code with caution. Copied to clipboard
Note: This forces the filter to stay active even if it has trouble reaching the update servers. Configuration Check
Navigate to Content Filter > Applications and Web Categories. Ensure Enable Kerio Control Web Filter is checked.
Verify that you have at least one Content Rule active that requires categorization; the filter often only "activates" when a rule is processing traffic. Using Kerio Control Web Filter - KerioControl - GFI
The error message "Kerio Control Web Filter is not activated" "Categorization is disabled"
typically indicates a communication failure between your Kerio Control appliance and the backend categorization servers (Zvelo)
. This is often triggered when the system detects a "DNS response timeout" multiple times, leading it to mark the filter as unreliable. support.keriocontrol.gfi.com Immediate Troubleshooting Steps Check DNS Stability
: Ensure your Kerio Control is using reliable DNS servers. It is recommended to use Cloudflare (1.1.1.1) OpenDNS (208.67.222.222) as custom DNS forwarding servers. Verify Web Filter Status Navigate to Content Filter > Applications and Web Categories Enable Kerio Control Web Filter is checked. Wait for Automatic Recovery While categorization is broken, you can still filter by:
: By default, Kerio Control attempts to revert the Web Filter to normal operation after if the connection stabilizes. support.keriocontrol.gfi.com Fix for Persistent "Disabled" Status
If the filter remains disabled after a restart or after an hour, you may need to manually reset the "Reliability Detection" via the SSH console: support.keriocontrol.gfi.com Enable SSH and navigate to Status > System Health , then click Enable SSH Access the Console
: Log in to your Kerio Control via an SSH client (like PuTTY). Execute Reset Commands cd /opt/kerio/winroute ./tinydbclient "update SiteFilter set DetectReliability=0" /etc/boxinit.d/60winroute restart Use code with caution. Copied to clipboard
Note: The final command restarts the Kerio Control engine, which will momentarily disrupt traffic. support.keriocontrol.gfi.com Common Root Causes License Expiry
: Ensure your Kerio Control Web Filter license is active and registered. ISP Connection Issues
: High latency or packet loss on your internet link can trigger the "unreliable" flag. Invalid Authorization
: If "Invalid Authorization" appears in logs, it may be due to an expired Zvelo key token (usually valid for 21 days), often caused by specific DNS forwarding issues. support.keriocontrol.gfi.com SSH commands
This error indicates that Kerio Control cannot verify its license or reach the categorization servers, typically due to DNS timeouts license expiration support.keriocontrol.gfi.com Quick Fixes Check DNS Forwarders : Use reliable DNS servers like Cloudflare (1.1.1.1) or
(208.67.222.222). Avoid using Google DNS (8.8.8.8) for Zvelo lookups as it can cause authorization failures support.keriocontrol.gfi.com Restart the System
: Rebooting Kerio Control often restores the link to the update servers support.keriocontrol.gfi.com Verify License
: Ensure your Kerio Control Web Filter license is active. Without it, the module disables itself 30 days after installation GFI Support Advanced SSH Resolution
If the error persists despite a stable internet connection, Kerio Control's "Reliability Detection" may have permanently disabled the filter after 10 failed connection attempts support.keriocontrol.gfi.com . You can reset this via support.keriocontrol.gfi.com Log in to Kerio Control via SSH (e.g., using support.keriocontrol.gfi.com Navigate to the directory cd /opt/kerio/winroute Disable Reliability detection and reset the timers: ./tinydbclient "update SiteFilter set DetectReliability=0" Restart the engine /etc/boxinit support.keriocontrol.gfi.com Configuration Check In the administration interface, go to Content Filter Applications and Web Categories support.keriocontrol.gfi.com Enable Kerio Control Web Filter is checked GFI Support If a specific site is still blocked erroneously, use the
feature in this same tab to report the miscategorization to Zvelo support.keriocontrol.gfi.com
Does your current license show as active under the Dashboard/Status section? Using Kerio Control Web Filter
The error "Kerio Control Web Filter is not activated / categorization is disabled" typically occurs when the firewall cannot reach the Zvelo categorization servers or when the license token has expired. This is often triggered by DNS failures, where the system marks the filter as "unreliable" after multiple failed connection attempts. Core Troubleshooting Steps 1. Verify DNS and Reachability But cloud category-based blocking (e
Kerio Control uses DNS queries to reach its update and categorization servers. If your ISP or current DNS configuration is slow or blocking these requests, the filter will deactivate.
Change DNS Forwarders: Avoid using Google DNS (8.8.8.8) for Zvelo categorization as it can cause "Invalid Authorization" errors. Instead, use Cloudflare (1.1.1.1) or OpenDNS (208.67.222.222).
Check DNS Reliability: Kerio deactivates the filter if 10 consecutive DNS queries fail within one minute. Usually, it tries to re-enable itself after one hour, but a manual restart is often faster. 2. Resolve "Invalid Authorization" Failures
If your error log specifically mentions "Invalid Authorization," it likely means the Zvelo key token has expired (tokens typically last 21 days).
Verify DiaServerUrl: Ensure the value v4.url.zvelo.com is correctly set in the configuration file located at /opt/kerio/winroute/winroute.cfg.
Clear the Cache: Sometimes a simple reboot after changing DNS settings is required to force a new token request. 3. Advanced SSH Fix (Disable Reliability Detection)
If the filter keeps disabling due to minor network fluctuations, you can disable the "Reliability Detection" feature via the Kerio Control Console: Connect to your Kerio Control appliance via SSH. Navigate to the directory: cd /opt/kerio/winroute.
Execute the following command to disable the reliability check:./tinydbclient "update SiteFilter set DetectReliability=0". Restart the service: /etc/boxinit.d/60winroute restart. Common Configuration Pitfalls
License Expiration: Ensure your Kerio Control Web Filter license is active. Without a valid subscription, the module defaults to a trial state and eventually disables itself.
Guest Network Limitations: Note that the Web Filter is disabled by default for the Guest Interface to allow users to reach the welcome page without authentication.
HTTPS Decryption: For categorization to work accurately on secure sites, ensure HTTPS Filtering (decrypt and filter) is enabled under Content Filter > HTTPS Filtering.
Do you need the specific SSH commands to check your current license status or verify the winroute.cfg contents?
Web Filter categorization disabled. Serial number: ko-197974
DNS Reliability Detection: Kerio Control automatically disables the web filter if it fails to receive DNS responses from update servers 10 times in a row.
Fix: You can disable this "Reliability detection" via the GFI Support command-line fix to prevent automatic shutdowns during minor connectivity blips. The error message "Kerio Control Web Filter is
Expired or Missing License: The Kerio Control Web Filter requires a specific license module. If the license expires or you are using a trial version past 30 days, categorization will be disabled automatically.
DNS Configuration Issues: Using standard public DNS (like Google 8.8.8.8) can sometimes lead to "Invalid Authorization" errors with the classification service.
Fix: It is recommended to use Cloudflare or OpenDNS (208.67.222.222) as custom DNS servers for the *.zvelo.com domains used for categorization.
Guest Network Limitations: If the user is connected through a guest interface, Kerio Control disables the Web Filter for that traffic by default. Managing "Lifestyle and Entertainment" Content
If categorization is working but a specific site in the Lifestyle and Entertainment group is being blocked incorrectly, you can manage this in the Kerio Control Web Filter settings:
Navigate to Content Filter > Applications and Web Categories.
Use the Test URL tool to see if the site is correctly identified.
If miscategorized, you can report it or add the specific URL to the URL Whitelist to bypass the general category block.
Have you checked your Error Logs for "DNS response timeout" or "Invalid Authorization" to see exactly why it's dropping?
Resolving Web Filter Invalid authorization failures - KerioControl
Kerio Control applies its own rule set to traffic originating from the appliance (e.g., license checks, category updates).
Navigate to Configuration → Network Rules → Traffic Rules.
Add a rule at the top:
Place this rule above any "Deny all" rules.
Before fixing the problem, you must understand the architecture. Kerio Control uses a cloud-based URL Database (formerly McAfee, now partially proprietary and third-party) to categorize websites (e.g., “Social Networking,” “Streaming Media,” “Phishing”).
When you see "Web Filter is not activated, categorization is disabled," the firewall has lost communication with that database or the licensing server. The "hot" tag usually refers to a transient, high-priority failure state—often indicating a timeout or a license reset that requires immediate re-activation.