Kerio Control Web Filter Is Not Activated Categorization Is Disabled Fixed May 2026

| Symptom | Likely Fix | |---------|-------------| | Web filter not activated | Apply/renew Security Pack license | | Categorization disabled | Trigger manual DB update; fix internet access to update server | | Works for HTTP but not HTTPS | Enable SSL inspection | | Works for some users, not others | Check traffic rule web filter setting | | Never works after fresh install | Reinstall web filter component |

If after all these steps the problem persists, collect Kerio Control support bundle (Status → Support Bundle) and open a ticket with GFI Support – they can check if the internal categorization daemon fails to start due to a deeper system issue.

How to Fix "Kerio Control Web Filter is Not Activated, Categorization is Disabled"

If you are seeing the error "Kerio Control Web Filter is not activated; categorization is disabled" in your Kerio Control administration interface, your network's content filtering has essentially been paralyzed. This error prevents the firewall from identifying website categories (like social media, gambling, or malware sites), meaning your custom URL rules won’t work.

Here is a comprehensive guide to troubleshooting and fixing this issue. 1. Verify License Status and Maintenance

The Kerio Control Web Filter is a premium add-on service powered by Cyren (or GFI, depending on your version). It requires a valid, active subscription. Check the Dashboard: Go to Status > License Details.

Verify Expiration: Ensure that both the "Kerio Control" license and the "Web Filter" module are not expired. If your Software Maintenance Agreement (SMA) has lapsed, the categorization servers will refuse the connection from your appliance.

Refresh License: Click Update License Info to force the appliance to check in with the GFI servers. 2. Check DNS Resolution on the Firewall

The Kerio Control appliance must be able to resolve the addresses of the backend categorization servers. If the firewall itself cannot resolve DNS, the Web Filter will fail to activate.

Test DNS: Go to Status > System Health and use the Debug or Ping tool (or SSH into the box). Try to ping google.com or ://kerio.com.

Fix DNS: Ensure your Kerio Control is using reliable DNS servers (like 8.8.8.8 or 1.1.1.1) under Configuration > DNS. 3. Clear the Web Filter Cache

Sometimes the local database or cache becomes corrupted, leading the system to believe the service is inactive. Navigate to Configuration > Content Filter > Web Filter. Uncheck Enable Kerio Control Web Filter. Click Apply. Wait 30 seconds, re-check the box, and click Apply again.

If this fails, you may need to clear the cache via the console by deleting the contents of the /var/winroute/webfilter/ directory (advanced users only). 4. Firewall Rules and Port Access | Symptom | Likely Fix | |---------|-------------| |

If your Kerio Control is behind another router or ISP firewall, it must be allowed to communicate with the activation servers.

Ports: Ensure HTTPS (Port 443) and HTTP (Port 80) are open for the firewall’s own outbound traffic.

Protocols: Ensure that SSL inspection on a parent device isn't interfering with the Kerio appliance's encrypted handshake with GFI/Kerio servers. 5. Correct System Time and Date

The Web Filter uses SSL/TLS certificates to communicate with categorization servers. If your Kerio Control system time is incorrect, the certificate validation will fail. Go to Configuration > Advanced Options > System Time.

Ensure Use NTP server is checked and the time zone is correct. Even a five-minute discrepancy can cause the Web Filter to show as "not activated." 6. Update to the Latest Version

GFI/Kerio frequently updates the URLs used for categorization and licensing. If you are running a very old version of Kerio Control, it may be trying to contact a retired server. Go to Advanced Options > Software Update.

Check for updates and ensure you are running the most recent build compatible with your license. Summary Checklist Potential Cause Expired License Renew SMA or Web Filter subscription. Time Sync Issue Enable NTP and verify the correct Time Zone. DNS Failure Set Kerio to use 8.8.8.8 for system resolution. Server Timeout

Toggle the Web Filter "Enable" checkbox to reset the connection.

By following these steps, you should see the status change to "Activated" and your categorization rules will resume functioning immediately.

Are you seeing any specific error codes in the Kerio Control Error Log when you try to enable the filter?

In the world of network management, few things are as frustrating as seeing a "Not Activated" status on a tool you rely on. Here is the story of how the Kerio Control Web Filter's categorization issue—a common headache for admins—is typically diagnosed and fixed. The Situation Everything seems fine until the administrator logs into the Kerio Control Webadmin and sees a warning:

"Kerio Control Web Filter is not activated. Categorization is disabled." If after all these steps the problem persists,

Suddenly, the dynamic database that rates and blocks content is offline, leaving the network vulnerable or causing intermittent connectivity for users. The Investigation The admin digs into the Error logs and finds a recurring message:

"DNS response timeout, Kerio Control Web Filter categorization disabled"

The system reveals its logic: Kerio Control sends automatic DNS queries to reach update servers. If these fail 10 times in a row within a single minute, the filter decides it can't be trusted and shuts down its categorization engine. This is often caused by: DNS Reliability

: The default ISP DNS servers might be throttling requests from the filter, which makes frequent calls to services like for page ratings. License Hiccups

: The Web Filter requires a specific license. If it's a new install, the 30-day trial may have expired, or a subscription renewal might be overdue. The administrator follows a documented GFI Support solution to bring the system back to life: Switching DNS Providers

: To prevent future timeouts, they move away from ISP DNS and configure Custom DNS forwarding using reliable servers like Cloudflare (1.1.1.1) Disabling Reliability Detection

: If the filter stays "disabled" even after the network is fixed, the admin logs into the Kerio console via

and runs a command to reset the timers and disable the sensitive reliability check: cd /opt/kerio/winroute ./tinydbclient "update SiteFilter set DetectReliability=0" /etc/boxinit.d/60winroute restart Manual Re-activation : Once the backend is stable, they return to the Applications and Web Categories tab and re-check Enable Kerio Control Web Filter

With the reliability check silenced and the DNS queries flying through, the status indicator finally turns green. The filter is active, categorization is restored, and the network is back under control. Are you seeing a specific message or a DNS timeout error in your Kerio Control console? AI responses may include mistakes. Learn more Using Kerio Control Web Filter

The issue where the Kerio Control Web Filter shows as "not activated" and categorization is "disabled"

typically stems from a communication failure with Kerio's update servers or a synchronization error with the Restart the Kerio Control Engine

: Often, a simple service restart or hardware reboot forces a re-authentication with the license servers. Verify DNS Settings : Ensure Kerio Control can resolve external hosts. Use the Google Public DNS (8.8.8.8) or Cloudflare DNS (1.1.1.1) as forwarders. Root Causes & Solutions 1. Expired Authorization Token (Zvelo) If nothing works, the configuration database itself may

Kerio uses a third-party engine (zvelo) for web categorization. If the authorization token (which expires every 21 days) fails to refresh, categorization is disabled. Connect via to your Kerio Control appliance. Check the configuration file: /opt/kerio/winroute/winroute.cfg DiaServerUrl v4.url.zvelo.com Change your DNS forwarders to Cloudflare

(208.67.222.222), as Google DNS sometimes causes failures with zvelo queries. support.keriocontrol.gfi.com 2. Reliability Detection Failure

If Kerio Control fails 10 consecutive DNS check queries within 1 minute, it considers the Web Filter "unreliable" and disables it automatically. support.keriocontrol.gfi.com Fix via SSH cd /opt/kerio/winroute ./tinydbclient "update SiteFilter set DetectReliability=0" /etc/boxinit.d/60winroute restart Use code with caution. Copied to clipboard

This disables the "Reliability detection" feature that turns off the filter during ISP instability. support.keriocontrol.gfi.com 3. License & Maintenance Expiry The Web Filter is a subscription-based module. If your Software Maintenance has expired, the module may deactivate. License Tile to verify the status.

: Ensure your license includes the "Kerio Control Web Filter" module. GFI Support 4. Firewall Blocking Update Servers

If a traffic rule prevents the appliance from reaching the update servers, it cannot validate the Web Filter license.

: Create a rule allowing traffic from the Firewall itself to: prod-update.kerio.com register.kerio.com control-update.kerio.com support.keriocontrol.gfi.com Verification Steps Navigate to Content Filter Applications and Web Categories and enter any website (e.g., google.com

If it returns a category, the filter is active. If it says "Unable to categorize," the authorization issue persists. support.keriocontrol.gfi.com To help you further, could you let me know: of Kerio Control are you running? Do you see an " Invalid Authorization DNS response timeout " error in your Software Maintenance currently active?

I can provide the specific SSH commands for your version once I have these details.

Web Filter categorization disabled. Serial number: ko-197974

If nothing works, the configuration database itself may have inconsistent flags. This is a nuclear option.

Note: Reset only after you have exhausted all other options.

Before diving into fixes, it’s crucial to understand what Kerio Control’s web filter actually does. The product uses a real-time or locally cached URL categorization database (powered by Webroot BrightCloud or similar, depending on the version). When you enable "HTTP Policy" or "HTTPS inspection," Kerio needs to know whether facebook.com is "Social Networking" or if malware-site.com is "Malware."

The error "Categorization is disabled" appears if: