Article ID: KC-WF-001
Product: Kerio Control (formerly WinRoute)
Affected Versions: 9.x, 8.x, and legacy 7.x
Symptoms: Web filtering fails, content rules are ignored, and the administration interface shows a warning that categorization is disabled.
Kerio Control is a robust unified threat management (UTM) appliance that provides firewall, VPN, and web content filtering. One of its most valuable features is the ability to block or allow websites based on dynamic URL categorization (e.g., “Social Networking,” “Adult Content,” “Streaming Media”).
However, administrators occasionally encounter a frustrating problem. Despite enabling web filtering, the system refuses to filter traffic. The dashboard or logs repeatedly state: “Web filter is not activated – categorization is disabled.”
This article explains why this message appears, the seven most common causes, and step-by-step solutions to restore full web filtering functionality.
After fixing the issue, back up your configuration immediately:
While categorization is disabled, you can still filter using Static URL Lists.
To understand the error, you must first know how Kerio Control’s web filter works.
Kerio Control does not rely solely on static blocklists. Instead, it uses real-time cloud-based URL categorization. When a user requests a website, the Kerio appliance queries a remote categorization server (provided by Kerio’s parent company, GFI Software, or a third-party partner like McAfee). The server returns a category ID (e.g., 92 for “Gambling”). The appliance then applies your content rules.
If categorization is disabled, the appliance cannot query the cloud. Consequently, no website receives a category, and all content rules dependent on categories fail silently.
Thus, the message is not a warning—it is a functional shutdown of category-based filtering.
Kerio Control Web Filter Not Activated: A Review of Categorization Disabled Workarounds
Kerio Control is a popular network security and UTM (Unified Threat Management) solution that provides robust protection against various types of threats, including web-based attacks. One of its key features is the Web Filter, which allows administrators to control and restrict access to websites based on their categories. However, what happens when the Web Filter is not activated, and categorization is disabled? In this review, we'll explore the implications of this scenario and discuss potential workarounds.
The Issue: Web Filter Not Activated and Categorization Disabled
When the Kerio Control Web Filter is not activated, and categorization is disabled, it means that the solution is not actively monitoring and blocking web traffic based on predefined categories. This can lead to several issues, including:
Workarounds and Solutions
While it's essential to activate the Web Filter and enable categorization, there are some workarounds that organizations can implement to mitigate the risks:
Conclusion
In conclusion, a Kerio Control Web Filter that is not activated, and categorization is disabled, can leave organizations vulnerable to web-based threats. While there are workarounds and solutions available, it's essential to prioritize the activation of the Web Filter and enable categorization to ensure robust protection and control over web traffic. By doing so, organizations can ensure a safer and more secure online environment for their users.
Rating: 2.5/5
The current state of the Kerio Control Web Filter, when not activated and categorization is disabled, leaves much to be desired. While there are workarounds and solutions available, the lack of an active Web Filter and categorization disabled can put organizations at risk. We recommend activating the Web Filter and enabling categorization to ensure optimal protection and control.
Recommendations
By following these recommendations, organizations can ensure a more secure and controlled online environment.
This issue typically occurs when Kerio Control loses connectivity to its categorization servers (Zvelo) or fails internal reliability checks. Quick Fixes
Verify Basic Activation: Ensure the feature is actually toggled on. Go to Content Filter > Applications and Web Categories and verify Enable Kerio Control Web Filter is checked.
Check DNS Forwarding: The Web Filter relies on reaching *.zvelo.com. Configure custom DNS forwarding for this domain to reliable servers like Cloudflare (1.1.1.1) or OpenDNS (208.67.222.222) rather than internal or ISP servers that might time out.
Reboot the Appliance: A simple restart can often clear temporary authorization token failures or DNS timeouts. Advanced Troubleshooting (via SSH)
If the Web Filter shows as "not activated" even with a valid license, Kerio may have disabled it due to detected unreliability (e.g., more than 10 failed DNS check queries in one minute). To force-enable the service and bypass reliability checks:
Enable SSH: Hold Shift while clicking Status > System Health in the admin interface and click Enable SSH. Connect via SSH using an app like PuTTY.
Run the following commands to disable reliability detection and restart the service:
cd /opt/kerio/winroute ./tinydbclient "update SiteFilter set DetectReliability=0" /etc/boxinit.d/60winroute restart Use code with caution. Copied to clipboard Other Potential Causes
License/Token Expiry: Authorization tokens for categorization expire every 21 days. If they fail to renew due to blocked traffic, categorization will disable.
Guest Network Limitations: Note that the Kerio Control Web Filter is disabled by default for the guest network interface.
Are you seeing any specific error logs (like "Invalid Authorization" or "DNS response timeout") in the Error or Debug logs? Using Kerio Control Web Filter - KerioControl - GFI
The "Kerio Control Web Filter is not activated / categorization is disabled" issue typically stems from connectivity failures to backend servers or license validation errors. Primary Causes and Solutions
DNS Reliability Issues: Kerio Control performs automatic DNS checks to reach update servers. If 10 consecutive queries fail within one minute, the system marks the Web Filter as "not reliable" and disables categorization.
Fix: You can disable this reliability detection via the SSH console with these commands: cd /opt/kerio/winroute ./tinydbclient "update SiteFilter set DetectReliability=0" /etc/boxinit.d/60winroute restart
Expired or Invalid Authorization: An "Invalid Authorization" error often occurs if an expired Zvelo key token (which lasts 21 days) is used. After fixing the issue, back up your configuration
Fix: Update your DNS configuration to use reliable third-party servers like Cloudflare (1.1.1.1) or OpenDNS (208.67.222.222) for *.zvelo.com URLs.
Licensing Constraints: The Web Filter requires a specific license and will automatically disable after a 30-day trial period if not activated.
Fix: Verify your license status in the GFI KISS portal and ensure the "Download Limit" has not been reached.
Network Timeouts: Intermittent ISP issues or slow connection speeds can trigger the "categorization disabled" state.
Fix: The service usually attempts to revert to normal after one hour of stable connectivity. Basic Configuration Check Ensure the filter is actually enabled in the UI:
Navigate to Content Filter > Applications and Web Categories. Verify Enable Kerio Control Web Filter is checked. Click Apply to save changes.
Web Filter categorization disabled. Serial number: ko-197974
When Kerio Control displays the error "Web Filter is not activated" or "categorization is disabled," it typically indicates a breakdown in communication between your firewall and the zvelo categorization servers or an expired license component. This effectively disables category-based filtering rules, leaving your network exposed. Primary Causes and Solutions
DNS Reliability Check Failures: Kerio Control performs automated DNS checks to verify connectivity to update servers. If these queries fail 10 times consecutively within one minute, the system marks the Web Filter as "unreliable" and disables it.
Fix: You can disable this "Reliability detection" via the SSH console by navigating to /opt/kerio/winroute and executing:./tinydbclient "update SiteFilter set DetectReliability=0".
DNS Forwarding Issues: Using certain DNS providers (like Google's 8.8.8.8) can occasionally cause categorization failures.
Recommendation: Use Cloudflare (1.1.1.1) or OpenDNS (208.67.222.222) as custom DNS servers specifically for *.zvelo.com domains.
Expired Authorization Tokens: Categorization relies on a security token that expires every 21 days. If your firewall cannot reach the internal GFI/Kerio servers to refresh this token, categorization will stop working.
Licensing Constraints: The Kerio Control Web Filter is a separate licensed module. If your main license does not include this add-on, or if you are 30 days past installation without a valid key, the feature will be automatically disabled. Immediate Troubleshooting Steps
Check License Status: In the Kerio Control Webadmin Dashboard, verify that the "Kerio Control Web Filter" component shows as active and has not exceeded its download limits.
Verify Configuration: Ensure the filter is explicitly enabled under Content Filter > Applications and Web Categories.
Perform a Test URL: Use the "Test URL" tool in the administration interface to see if the firewall can successfully categorize a site like google.com. If it returns an error, the issue is connectivity-based.
Restart Services: A simple reboot of the Kerio Control appliance or a manual restart of the winroute service via SSH often restores functionality if the issue was a temporary timeout. If you'd like, I can: While categorization is disabled, you can still filter
Provide the exact SSH commands to check your categorization logs. Help you re-register your license if it shows as expired.
Guide you through setting up DNS forwarding for the zvelo servers.
Web Filter categorization disabled. Serial number: ko-197974
This error typically occurs when Kerio Control determines that its connection to the categorization servers (Zvelo) is unreliable, often due to DNS timeouts or expired authorization tokens. When the system fails to reach these servers ten times within a single minute, it automatically disables the Web Filter to prevent it from blocking legitimate traffic by mistake. 🛠️ Immediate Fix: Disable Reliability Detection
If your internet is working but the filter remains disabled, you can manually reset the internal "reliability" check via the SSH console.
Enable SSH: Hold Shift and navigate to Status > System Health in the Kerio admin interface, then click Enable SSH.
Access the Console: Connect to your appliance via an SSH client (like PuTTY). Run Reset Commands:
cd /opt/kerio/winroute ./tinydbclient "update SiteFilter set DetectReliability=0" /etc/boxinit.d/60winroute restart Use code with caution. Copied to clipboard
Note: This forces the filter to stay active even if it can't reach the categorization servers immediately. 🌐 Resolve Underlying DNS & Connection Issues
The Web Filter relies on specific DNS lookups to function. Misconfigured DNS servers are a leading cause of "Invalid Authorization" errors.
Change DNS Forwarders: Avoid using Google DNS (8.8.8.8) as the primary forwarder for categorization queries. Use Cloudflare (1.1.1.1) or OpenDNS instead.
Create Custom Forwarding: In DNS > Custom DNS Forwarding, add a rule for *.zvelo.com pointing to a reliable public DNS.
Check Licenses: Ensure your license hasn't reached its "download limit" for updates. You can check this in the GFI KISS Portal under your license details. ⚠️ Common Causes
Expired Tokens: Zvelo tokens expire every 21 days; if they can't refresh due to blocked traffic, categorization fails.
ISP Latency: A slow or unstable internet link can cause the "10 failures in 1 minute" threshold to be met.
Firewall Blocks: Ensure that your firewall rules allow outgoing traffic for the categorization service on standard ports. If you'd like to troubleshoot further, let me know: What version of Kerio Control are you currently running?
Are you seeing a specific "Invalid Authorization" error in your logs? Do you have HTTPS decryption enabled?
Web Filter categorization disabled. Serial number: ko-197974 By following these recommendations
On rare occasions, the web filter module fails to install correctly. Backup your configuration (Configuration → Backup → Download), then reinstall Kerio Control. Restore the backup and reapply the license.