While categorization is broken, you can still filter by:
But cloud category-based blocking (e.g., “Block Pornography”) will not work until the error is resolved.
DNS Reliability Detection: Kerio Control automatically disables the web filter if it fails to receive DNS responses from update servers 10 times in a row.
Fix: You can disable this "Reliability detection" via the GFI Support command-line fix to prevent automatic shutdowns during minor connectivity blips.
Expired or Missing License: The Kerio Control Web Filter requires a specific license module. If the license expires or you are using a trial version past 30 days, categorization will be disabled automatically.
DNS Configuration Issues: Using standard public DNS (like Google 8.8.8.8) can sometimes lead to "Invalid Authorization" errors with the classification service.
Fix: It is recommended to use Cloudflare or OpenDNS (208.67.222.222) as custom DNS servers for the *.zvelo.com domains used for categorization.
Guest Network Limitations: If the user is connected through a guest interface, Kerio Control disables the Web Filter for that traffic by default. Managing "Lifestyle and Entertainment" Content
If categorization is working but a specific site in the Lifestyle and Entertainment group is being blocked incorrectly, you can manage this in the Kerio Control Web Filter settings:
Navigate to Content Filter > Applications and Web Categories.
Use the Test URL tool to see if the site is correctly identified.
If miscategorized, you can report it or add the specific URL to the URL Whitelist to bypass the general category block.
Have you checked your Error Logs for "DNS response timeout" or "Invalid Authorization" to see exactly why it's dropping? While categorization is broken, you can still filter by:
Resolving Web Filter Invalid authorization failures - KerioControl
This error indicates that Kerio Control cannot verify its license or reach the categorization servers, typically due to DNS timeouts license expiration support.keriocontrol.gfi.com Quick Fixes Check DNS Forwarders : Use reliable DNS servers like Cloudflare (1.1.1.1) or
(208.67.222.222). Avoid using Google DNS (8.8.8.8) for Zvelo lookups as it can cause authorization failures support.keriocontrol.gfi.com Restart the System
: Rebooting Kerio Control often restores the link to the update servers support.keriocontrol.gfi.com Verify License
: Ensure your Kerio Control Web Filter license is active. Without it, the module disables itself 30 days after installation GFI Support Advanced SSH Resolution
If the error persists despite a stable internet connection, Kerio Control's "Reliability Detection" may have permanently disabled the filter after 10 failed connection attempts support.keriocontrol.gfi.com . You can reset this via support.keriocontrol.gfi.com Log in to Kerio Control via SSH (e.g., using support.keriocontrol.gfi.com Navigate to the directory cd /opt/kerio/winroute Disable Reliability detection and reset the timers: ./tinydbclient "update SiteFilter set DetectReliability=0" Restart the engine /etc/boxinit support.keriocontrol.gfi.com Configuration Check In the administration interface, go to Content Filter Applications and Web Categories support.keriocontrol.gfi.com Enable Kerio Control Web Filter is checked GFI Support If a specific site is still blocked erroneously, use the
feature in this same tab to report the miscategorization to Zvelo support.keriocontrol.gfi.com
Does your current license show as active under the Dashboard/Status section? Using Kerio Control Web Filter
The error "Web Filter categorization is disabled" usually occurs when Kerio Control determines the categorization service (provided by ) is unreliable due to failed DNS checks
. By default, if Kerio Control fails to reach update servers 10 times in 1 minute, it disables categorization. support.keriocontrol.gfi.com Immediate Hotfix (via SSH)
To force the Web Filter back into an active state and prevent it from disabling itself due to "unreliability," you can disable the reliability check using the GFI Support recommended commands: Log in to the Kerio Control console via SSH (e.g., using Navigate to the configuration directory: cd /opt/kerio/winroute Disable the reliability detection and reset the status: ./tinydbclient "update SiteFilter set DetectReliability=0" Restart the Kerio Control engine: /etc/boxinit.d/60winroute restart support.keriocontrol.gfi.com Permanent Fixes & Troubleshooting
If the hotfix above does not resolve the issue permanently, check these configurations: Custom DNS Forwarding But cloud category-based blocking (e
: Using certain DNS servers (like Google's) for all traffic can sometimes interfere with Zvelo's authorization tokens. in the admin interface. Custom DNS Forwarding *.zvelo.com Cloudflare (1.1.1.1) or (208.67.222.222). the Kerio Control appliance after making this change. Check Winroute Config : Ensure the DiaServerUrl is correctly set. /opt/kerio/winroute/winroute.cfg , verify that the value is v4.url.zvelo.com Activation Verification Navigate to Content Filter Applications and Web Categories Enable Kerio Control Web Filter is checked. Test a URL in the field to see if it provides a category. License Issues
: If the filter shows "Invalid Authorization," your Zvelo token may have expired. This typically happens if the firewall cannot reach internal Kerio servers to refresh the 21-day token. GFI Support if the SSH command fails?
Web Filter categorization disabled. Serial number: ko-197974
If categorization is still disabled and users need immediate protection:
If the database fails to update, the appliance cannot resolve the update server.
Troubleshooting "Kerio Control Web Filter is Not Activated: Categorization is Disabled"
The error message "Kerio Control Web Filter is not activated; categorization is disabled" typically indicates a communication failure between your Kerio Control appliance and the external categorization servers (primarily Zvelo). When this service fails, your content rules based on web categories (like "Social Networking" or "Malware") stop functioning, potentially leaving your network exposed. Common Root Causes
DNS Failures: Kerio Control performs automatic reliability checks. If it fails to receive DNS responses 10 times in a row within one minute, it marks the Web Filter as "not reliable" and disables categorization.
Expired Authorization Tokens: Categorization relies on Zvelo key tokens that expire every 21 days. If these tokens fail to refresh, you will see an "Invalid Authorization" error in your logs.
Licensing Issues: The Web Filter requires a separate, active license. If your license has expired or is invalid, the module reverts to trial mode and eventually disables itself.
Connectivity and ISP Throttling: Some ISPs throttle frequent DNS requests to external databases like zvelo.com, causing the filter to time out and disable itself. Step-by-Step Solutions 1. Fix DNS Forwarding and Reachability
Incorrect DNS settings often block the appliance from reaching update servers. but manual rules (e.g.
Use Reliable DNS Forwarders: It is recommended to use Cloudflare (1.1.1.1) or OpenDNS (208.67.222.222) as custom DNS servers specifically for *.zvelo.com and *.kerio.com URLs.
Test Reachability: Verify if the appliance can ping update servers like bdupdate.kerio.com or prod-update.kerio.com. If you can only ping them by IP address (e.g., 35.168.223.144), your DNS configuration is the primary issue. 2. Disable Reliability Detection (SSH Method)
If your Internet connection is stable but the "Reliability Detection" feature is being too aggressive, you can disable it via the Kerio Control console.
Access your Kerio Control console via SSH (e.g., using PuTTY). Navigate to the directory: cd /opt/kerio/winroute.
Execute the following command to disable the reliability check:./tinydbclient "update SiteFilter set DetectReliability=0". Restart the service: /etc/boxinit.d/60winroute restart. 3. Resolve Invalid Authorization
If logs show an "Invalid Authorization" error, your Zvelo token may be stuck or expired.
Check the /opt/kerio/winroute/winroute.cfg file via SSH and ensure the DiaServerUrl value is set to v4.url.zvelo.com.
Reboot the Appliance: After updating DNS settings, a reboot is often necessary to refresh the token transfer from Kerio internal servers. 4. Verify License Status
Navigate to Configuration > License in the web administration interface.
Ensure the "Web Filter" module is listed as active. If it shows as "Expired" or "Not Licensed," you must renew your subscription to reactivate categorization.
If you have a license but it won't load, check for disk space issues. You may need to clear cache files from the /var/kerio/webctrl/ folder to free up room for the license file. Temporary Workarounds
While troubleshooting, you can maintain some control by using URL-based rules instead of category-based ones. Since categorization is disabled, rules that rely on "Applications and Web Categories" will fail, but manual rules (e.g., blocking facebook.com directly) will still work.
Are you seeing specific "DNS response timeout" or "Invalid Authorization" errors in your Kerio Control Error logs?
Resolving Web Filter Invalid authorization failures - KerioControl