Kerio Control Web Filter Is Not Activated Categorization Is Disabled Hot [BEST]
Kerio Control — Web Filter Not Activated / Categorization Disabled (Hot Issue)
Introduction
If you are a network administrator managing a Kerio Control firewall (formerly WinRoute), you may have encountered a frustrating red banner or log entry stating:
"Web Filter is not activated. Categorization is disabled."
Alternatively, you might see a variation: "HTTP Policy: Web filter is not available. Categorization is disabled. The 'URL Filtering' rule will be skipped."
This message indicates that Kerio Control's URL filtering engine—which categorizes websites (e.g., Social Media, Malware, Adult Content)—is either unlicensed, misconfigured, or experiencing a service interruption. When this happens, any firewall rule relying on Web Filter Categories will fail silently, potentially allowing blocked content or blocking allowed content depending on your rule logic.
In this long-form guide, we will dissect every possible cause of the "Web Filter is not activated. Categorization is disabled" error and provide step-by-step solutions to restore full URL filtering functionality.
Step-by-Step Diagnosis & Repair
Do not restart the entire firewall yet. Follow this logical sequence:
1. Report Overview
Title:
Investigation & Resolution of Web Filter Categorization Disabled in Kerio Control
Error Message Observed:
“Kerio Control Web Filter is not activated. Categorization is disabled.”
Affected Component:
Kerio Control Web Filter (URL filtering, content categorization, web policy rules based on categories)
Severity:
High – Web filtering rules relying on URL categories will not work; traffic may bypass policy restrictions or be blocked incorrectly. Kerio Control — Web Filter Not Activated /
Final Note
If the issue persists after following all steps:
- Check Kerio Control’s Debug log for errors containing
categorizationorlicense. - Contact GFI/Kerio support with your license key and diagnostics bundle.
Document version: 1.0 – Applicable to Kerio Control 9.x and later.
To resolve the issue where the Kerio Control Web Filter is reported as not activated and categorization is disabled, you typically need to address underlying DNS or authorization issues. This error often occurs when the firewall cannot reach the Zvelo categorization servers. Immediate Fixes
Restart Kerio Control: In many cases, a simple reboot restores connectivity and reactivates the filter automatically.
Manual Activation: Ensure the filter is checked in the administration interface under Content Filter > Applications and Web Categories. Troubleshooting DNS and Authorization
The "categorization disabled" state is often a reliability safety measure triggered after multiple failed DNS queries. Configure Custom DNS Forwarding: Go to DNS in the admin interface. Enable custom DNS forwarding for *.zvelo.com.
Set the DNS servers to Cloudflare (1.1.1.1) or OpenDNS (208.67.222.222), as Google's DNS can sometimes cause authorization token issues.
Check for Expired Tokens: Zvelo key tokens expire every 21 days. If your firewall has been offline or has incorrect time settings, it may fail to update this token. Advanced CLI Solution (If Reliability Check is Stuck)
If the filter remains disabled after a restart, you can manually reset the reliability detection via SSH: Login to the console via SSH. Navigate to the directory: cd /opt/kerio/winroute.
Run the following command to disable the reliability check:./tinydbclient "update SiteFilter set DetectReliability=0" Restart the service: /etc/boxinit.d/60winroute restart. "Web Filter is not activated
Note: If your 30-day trial has expired, these options will be greyed out and unavailable until a valid license is applied.
Web Filter categorization disabled. Serial number: ko-197974
“Kerio Control Web Filter is not activated. Categorization is disabled.”
4. Correct System Time
- Wrong date/time breaks SSL handshakes with cloud services.
- Set correct timezone and enable NTP under Configuration → Date and Time.
Troubleshooting Guide: "Kerio Control Web Filter is Not Activated, Categorization is Disabled"
Introduction: The "Hot" Error That Leaves Networks Exposed
Imagine this: You are in the middle of a busy workday. A user reports they can suddenly access Netflix, Reddit, or a known malware site. You log into your Kerio Control firewall (formerly WinRoute) and navigate to the Web Filter section. Instead of the usual green checkmarks, you are greeted with a red warning: "Web Filter is not activated, categorization is disabled." Often, administrators notice a specific artifact appended to this description: "hot."
This error is a critical red flag. It means your content filtering engine is offline. For businesses relying on Kerio Control for productivity, compliance, and security, disabled categorization turns your expensive UTM appliance into a basic NAT router.
This article dives deep into why this error occurs, why it often appears with "hot" status, and the step-by-step recovery process.
4. System Time Drift (NTP Failure)
URL categorization uses SSL certificates and timestamps. If your Kerio server’s clock is off by more than 5 minutes (common on virtual machines with paused snapshots), the handshake fails. The system reports "disabled" because it cannot validate the security token.
Diagnostic data to collect before contacting support
- Screenshot of Web Filter status and any error messages.
- System > Diagnostics / Support Package (if available) export.
- Relevant logs (web filter, system, update) for the last 24–72 hours.
- License ID and expiry date.
- Kerio Control version and recent changes (patches, config changes).
- Results of connectivity tests to update endpoints and NTP/DNS servers.
If you want, I can produce:
- a short incident ticket summary for IT ops,
- CLI commands or exact UI navigation for a specific Kerio Control version,
- or a sample email to vendor support including the diagnostic data. Which would you like?
DNS Reliability Detection: Kerio Control automatically disables the web filter if it fails to receive DNS responses from update servers 10 times in a row.
Fix: You can disable this "Reliability detection" via the GFI Support command-line fix to prevent automatic shutdowns during minor connectivity blips.
Expired or Missing License: The Kerio Control Web Filter requires a specific license module. If the license expires or you are using a trial version past 30 days, categorization will be disabled automatically.
DNS Configuration Issues: Using standard public DNS (like Google 8.8.8.8) can sometimes lead to "Invalid Authorization" errors with the classification service.
Fix: It is recommended to use Cloudflare or OpenDNS (208.67.222.222) as custom DNS servers for the *.zvelo.com domains used for categorization.
Guest Network Limitations: If the user is connected through a guest interface, Kerio Control disables the Web Filter for that traffic by default. Managing "Lifestyle and Entertainment" Content
If categorization is working but a specific site in the Lifestyle and Entertainment group is being blocked incorrectly, you can manage this in the Kerio Control Web Filter settings:
Navigate to Content Filter > Applications and Web Categories.
Use the Test URL tool to see if the site is correctly identified.
If miscategorized, you can report it or add the specific URL to the URL Whitelist to bypass the general category block. Alternatively, you might see a variation: "HTTP Policy:
Have you checked your Error Logs for "DNS response timeout" or "Invalid Authorization" to see exactly why it's dropping?
Resolving Web Filter Invalid authorization failures - KerioControl