Kerio Control Web Filter Is Not Activated Categorization Is Disabled Fixed -

The error message "Kerio Control Web Filter is not activated, categorization is disabled"

typically occurs when the firewall detects a loss of reliability in reaching the categorization servers or if there is an authorization failure with the third-party service ( Common Causes DNS Reliability Check Failure

: Kerio Control sends automatic DNS queries to update servers. If it fails to receive a response 10 times within 1 minute, it marks the Web Filter as "unreliable" and disables categorization. Invalid Authorization : This often stems from an expired

key token (which typically expires after 21 days) or incorrect DNS forwarding settings. License Issues

: The Web Filter requires a specific license. If the license is expired or not properly registered, options in the "Applications and Web Categories" tab will be unavailable. support.keriocontrol.gfi.com Steps to Fix Disable Reliability Detection (SSH)

If the issue is caused by intermittent DNS timeouts, you can disable the reliability check via the SSH console Connect to the console (e.g., using Putty). Navigate to the directory: cd /opt/kerio/winroute Run the command: ./tinydbclient "update SiteFilter set DetectReliability=0" Restart the service: /etc/boxinit.d/60winroute restart Adjust DNS Forwarding

"Invalid Authorization" errors can occur when using Google's DNS. It is recommended to use Cloudflare (1.1.1.1) OpenDNS (208.67.222.222) as custom DNS forwarding servers for *.zvelo.com Manual Re-activation Content Filter Applications and Web Categories Enable Kerio Control Web Filter is checked. to force a refresh. Verify License Status

section to ensure your license is valid and that the "Web Filter" module is included. If you have recently renewed, you may need to download the license file and register it again. support.keriocontrol.gfi.com Do you need the specific SSH commands

for a different version of Kerio Control, or should I help you troubleshoot your DNS forwarding

Web Filter categorization disabled. Serial number: ko-197974

The error message "Kerio Control Web Filter is not activated, and categorization is disabled" occurs when the system can no longer reach its update/categorization servers, often due to DNS timeouts or authorization failures. Solution 1: Disable Reliability Detection (Technical Fix) The error message "Kerio Control Web Filter is

Kerio Control has a built-in safety mechanism that disables the Web Filter if it fails to reach update servers 10 times in a row within one minute. You can override this via the SSH console: Log in via SSH to the Kerio Control console. Navigate to the directory:cd /opt/kerio/winroute

Run the update command to disable the reliability check:./tinydbclient "update SiteFilter set DetectReliability=0" Restart the service:/etc/boxinit.d/60winroute restart Solution 2: Resolve "Invalid Authorization" DNS Issues

If your logs show FAILURE: Invalid authorization, your DNS servers may be failing to resolve the Zvelo categorization service.

Change DNS Forwarders: Avoid using Google DNS (8.8.8.8) as your primary forwarder for this service. Instead, set Cloudflare (1.1.1.1) or OpenDNS (208.67.222.222) as custom DNS servers for the *.zvelo.com domain.

Reboot: After modifying DNS settings, a system reboot is recommended to clear cached authorization tokens that typically expire every 21 days. Solution 3: Verify License Status

The Web Filter is a separate licensed module. If your Kerio Control license has expired or was not properly activated, the module will automatically disable itself.

Go to Dashboard > License to check the status of the "Web Filter" module.

If you recently reinstalled, ensure you have completed the Activation Wizard. Quick Verification Steps

System Health: Check Status > System Health for any reported DNS timeouts or license errors.

Enable Predefined Rules: Ensure the "Kerio Control Web Filter categories and applications" rule is enabled under Content Filter > Content Rules. Ensure the firewall allows outbound HTTPS traffic to:

Are you seeing any specific DNS timeout or authorization errors in your Warning or Error logs?

Web Filter categorization disabled. Serial number: ko-197974

In the world of network management, few things are as frustrating as seeing a "Not Activated" status on a tool you rely on. Here is the story of how the Kerio Control Web Filter's categorization issue—a common headache for admins—is typically diagnosed and fixed. The Situation Everything seems fine until the administrator logs into the Kerio Control Webadmin and sees a warning:

"Kerio Control Web Filter is not activated. Categorization is disabled."

Suddenly, the dynamic database that rates and blocks content is offline, leaving the network vulnerable or causing intermittent connectivity for users. The Investigation The admin digs into the Error logs and finds a recurring message:

"DNS response timeout, Kerio Control Web Filter categorization disabled"

The system reveals its logic: Kerio Control sends automatic DNS queries to reach update servers. If these fail 10 times in a row within a single minute, the filter decides it can't be trusted and shuts down its categorization engine. This is often caused by: DNS Reliability

: The default ISP DNS servers might be throttling requests from the filter, which makes frequent calls to services like for page ratings. License Hiccups

: The Web Filter requires a specific license. If it's a new install, the 30-day trial may have expired, or a subscription renewal might be overdue. The administrator follows a documented GFI Support solution to bring the system back to life: Switching DNS Providers

: To prevent future timeouts, they move away from ISP DNS and configure Custom DNS forwarding using reliable servers like Cloudflare (1.1.1.1) Disabling Reliability Detection Run: /etc/init.d/keriocontrol status

: If the filter stays "disabled" even after the network is fixed, the admin logs into the Kerio console via

and runs a command to reset the timers and disable the sensitive reliability check: cd /opt/kerio/winroute ./tinydbclient "update SiteFilter set DetectReliability=0" /etc/boxinit.d/60winroute restart Manual Re-activation : Once the backend is stable, they return to the Applications and Web Categories tab and re-check Enable Kerio Control Web Filter

With the reliability check silenced and the DNS queries flying through, the status indicator finally turns green. The filter is active, categorization is restored, and the network is back under control. Are you seeing a specific message or a DNS timeout error in your Kerio Control console? AI responses may include mistakes. Learn more Using Kerio Control Web Filter

3. Test Connectivity to Kerio Services

Step 2: Verify Web Filter Configuration

Review and verify the Web Filter configuration to ensure it is set up correctly.

  1. Log in to the Kerio Control administration interface.
  2. Navigate to Configuration > Filtering Rules.
  3. Ensure that the Web Filter is enabled and set to Categorize URLs.
  4. Verify that the categorization settings are configured according to your organization's policies.

On Kerio Control appliance / VM:

  1. SSH into the box or access local console

  2. Run:

    /etc/init.d/keriocontrol status

    Or for newer versions:

    systemctl status kerio-control

  3. Restart the web filter service:

    /etc/init.d/keriocontrol-web-filter restart

  4. Restart the entire Kerio Control engine if needed:

    /etc/init.d/keriocontrol restart

Fix #5: Disable HTTPS Inspection (Temporarily)

HTTPS inspection can interfere with the web filter’s ability to download categorization data, because the update process uses a pinned certificate that may be tampered with if you’re intercepting all SSL traffic.

  1. Go to Web Filter → HTTPS Inspection.
  2. Uncheck Enable HTTPS inspection.
  3. Apply changes.
  4. Re-test categorization: Web Filter → URL Categorization → Update Now.
  5. If it works, you have a certificate issue. Re-generate the CA certificate in SSL Certificates and re-deploy to clients. You can re-enable HTTPS inspection later.