How to Fix "Kerio Control Web Filter is Not Activated, Categorization is Disabled"
If you are seeing the error "Kerio Control Web Filter is not activated; categorization is disabled" in your Kerio Control administration interface, your network's content filtering has essentially been paralyzed. This error prevents the firewall from identifying website categories (like social media, gambling, or malware sites), meaning your custom URL rules won’t work.
Here is a comprehensive guide to troubleshooting and fixing this issue. 1. Verify License Status and Maintenance
The Kerio Control Web Filter is a premium add-on service powered by Cyren (or GFI, depending on your version). It requires a valid, active subscription. Check the Dashboard: Go to Status > License Details.
Verify Expiration: Ensure that both the "Kerio Control" license and the "Web Filter" module are not expired. If your Software Maintenance Agreement (SMA) has lapsed, the categorization servers will refuse the connection from your appliance.
Refresh License: Click Update License Info to force the appliance to check in with the GFI servers. 2. Check DNS Resolution on the Firewall
The Kerio Control appliance must be able to resolve the addresses of the backend categorization servers. If the firewall itself cannot resolve DNS, the Web Filter will fail to activate.
Test DNS: Go to Status > System Health and use the Debug or Ping tool (or SSH into the box). Try to ping google.com or ://kerio.com. How to Fix "Kerio Control Web Filter is
Fix DNS: Ensure your Kerio Control is using reliable DNS servers (like 8.8.8.8 or 1.1.1.1) under Configuration > DNS. 3. Clear the Web Filter Cache
Sometimes the local database or cache becomes corrupted, leading the system to believe the service is inactive. Navigate to Configuration > Content Filter > Web Filter. Uncheck Enable Kerio Control Web Filter. Click Apply. Wait 30 seconds, re-check the box, and click Apply again.
If this fails, you may need to clear the cache via the console by deleting the contents of the /var/winroute/webfilter/ directory (advanced users only). 4. Firewall Rules and Port Access
If your Kerio Control is behind another router or ISP firewall, it must be allowed to communicate with the activation servers.
Ports: Ensure HTTPS (Port 443) and HTTP (Port 80) are open for the firewall’s own outbound traffic.
Protocols: Ensure that SSL inspection on a parent device isn't interfering with the Kerio appliance's encrypted handshake with GFI/Kerio servers. 5. Correct System Time and Date
The Web Filter uses SSL/TLS certificates to communicate with categorization servers. If your Kerio Control system time is incorrect, the certificate validation will fail. Go to Configuration > Advanced Options > System Time. Symptoms
Ensure Use NTP server is checked and the time zone is correct. Even a five-minute discrepancy can cause the Web Filter to show as "not activated." 6. Update to the Latest Version
GFI/Kerio frequently updates the URLs used for categorization and licensing. If you are running a very old version of Kerio Control, it may be trying to contact a retired server. Go to Advanced Options > Software Update.
Check for updates and ensure you are running the most recent build compatible with your license. Summary Checklist Potential Cause Expired License Renew SMA or Web Filter subscription. Time Sync Issue Enable NTP and verify the correct Time Zone. DNS Failure Set Kerio to use 8.8.8.8 for system resolution. Server Timeout
Toggle the Web Filter "Enable" checkbox to reset the connection.
By following these steps, you should see the status change to "Activated" and your categorization rules will resume functioning immediately.
Are you seeing any specific error codes in the Kerio Control Error Log when you try to enable the filter?
This error typically occurs when Kerio Control determines the Web Filter is "unreliable," usually because it failed to reach its categorization servers (Zvelo) multiple times. Quick Fix: Disable Reliability Detection Prevention: Keep Web Filtering Active
The most effective way to force the filter back into an "Activated" state is through the SSH console. This prevents the system from automatically disabling the filter when it encounters a brief connection hiccup.
Access SSH: Log into your Kerio Control console using a tool like PuTTY. Navigate to the Directory: cd /opt/kerio/winroute Use code with caution. Copied to clipboard Run the Update Command: ./tinydbclient "update SiteFilter set DetectReliability=0" Use code with caution. Copied to clipboard Restart the Service: /etc/boxinit.d/60winroute restart Use code with caution. Copied to clipboard Secondary Fixes & Prevention
If the issue persists, it usually points to a DNS or License communication problem. Check DNS Forwarding
The filter relies on *.zvelo.com for categorization. If your DNS is failing to resolve this, the filter will deactivate. Go to DNS in the admin interface. Enable Custom DNS forwarding.
Add a rule for *.zvelo.com to use Cloudflare (1.1.1.1) or OpenDNS (208.67.222.222). Verify Authorization
The filter uses a token that expires every 21 days. If your system time is incorrect or you are using blocked DNS servers, the "Invalid Authorization" error may trigger. Ensure your System Time is synced with an NTP server. Check the Error Log for "Invalid Authorization" messages. Manual Activation
Navigate to Content Filter > Applications and Web Categories.
Ensure Enable Kerio Control Web Filter is checked and click Apply.
💡 Pro-Tip: If the filter deactivates frequently, check your internet link speed. Slow links can trigger the "unreliable" flag, which the SSH fix above permanently ignores. Using Kerio Control Web Filter