If you are a network administrator managing a Kerio Control firewall (formerly WinRoute), you may have encountered a frustrating red banner or log entry stating:
"Web Filter is not activated. Categorization is disabled."
Alternatively, you might see a variation: "HTTP Policy: Web filter is not available. Categorization is disabled. The 'URL Filtering' rule will be skipped."
This message indicates that Kerio Control's URL filtering engine—which categorizes websites (e.g., Social Media, Malware, Adult Content)—is either unlicensed, misconfigured, or experiencing a service interruption. When this happens, any firewall rule relying on Web Filter Categories will fail silently, potentially allowing blocked content or blocking allowed content depending on your rule logic.
In this long-form guide, we will dissect every possible cause of the "Web Filter is not activated. Categorization is disabled" error and provide step-by-step solutions to restore full URL filtering functionality.
One of the most common administrative headaches in Kerio Control environments is encountering a state where the Web Filter module reports that it is "Not Activated" and "Categorization is Disabled." This state effectively renders Content-Aware Firewall policies useless, leaving the network vulnerable to malware, phishing, and productivity drains. This write-up explores the root causes of this issue and provides a step-by-step resolution guide.
If you want, I can produce:
The error message "Kerio Control Web Filter is not activated; categorization is disabled" typically occurs when the firewall cannot reach its external categorization servers or has encountered a licensing/authorization failure. This issue is a common pain point for administrators using the GFI Kerio Control Unified Threat Management (UTM) solution. Core Issue Overview
The Kerio Control Web Filter relies on a third-party service called Zvelo to categorize URLs. When the filter shows as "not activated," it means the local Kerio appliance is unable to verify categories for websites, effectively disabling content-based blocking rules. Common Root Causes
DNS Failures: Kerio Control performs automatic DNS health checks. If 10 consecutive queries fail within one minute, the system marks the Web Filter as "not reliable" and disables it.
Invalid Authorization: This often stems from an expired Zvelo token (which typically expires after 21 days). If the appliance cannot fetch a new token from Kerio’s internal servers, the filter remains inactive.
ISP Restrictions: Some ISPs limit the frequency of DNS requests, which can trigger reliability errors since the web filter makes numerous requests to zvelo.com for categorization. Troubleshooting & Fixes
To resolve this "disabled" state, administrators often use the following official GFI Support steps:
Change DNS Servers: Switch your custom DNS forwarders to stable providers like Cloudflare (1.1.1.1) or OpenDNS (208.67.222.222) specifically for *.zvelo.com traffic.
Disable Reliability Detection: If the filter stays disabled due to minor network blips, you can use SSH to run:./tinydbclient "update SiteFilter set DetectReliability=0"This prevents the system from automatically disabling the filter when it perceives the connection as unreliable.
Manual Activation: Ensure the filter is toggled on under Content Filter > Applications and Web Categories in the administration interface. User Experience Impact
Pros: When active, the filter provides robust, color-coded rule management and automated blocking of malicious sites, ads, and peer-to-peer networks.
Cons: Users report that when the filter is "disabled," the entire security policy for web access may fail open or closed depending on configuration, leading to either security gaps or frustrated users unable to access legit sites.
Are you currently facing this error on a hardware appliance or a virtual machine? Using Kerio Control Web Filter - KerioControl - GFI
DNS Reliability Detection: Kerio Control automatically disables the web filter if it fails to receive DNS responses from update servers 10 times in a row.
Fix: You can disable this "Reliability detection" via the GFI Support command-line fix to prevent automatic shutdowns during minor connectivity blips.
Expired or Missing License: The Kerio Control Web Filter requires a specific license module. If the license expires or you are using a trial version past 30 days, categorization will be disabled automatically.
DNS Configuration Issues: Using standard public DNS (like Google 8.8.8.8) can sometimes lead to "Invalid Authorization" errors with the classification service.
Fix: It is recommended to use Cloudflare or OpenDNS (208.67.222.222) as custom DNS servers for the *.zvelo.com domains used for categorization.
Guest Network Limitations: If the user is connected through a guest interface, Kerio Control disables the Web Filter for that traffic by default. Managing "Lifestyle and Entertainment" Content
If categorization is working but a specific site in the Lifestyle and Entertainment group is being blocked incorrectly, you can manage this in the Kerio Control Web Filter settings:
Navigate to Content Filter > Applications and Web Categories.
Use the Test URL tool to see if the site is correctly identified.
If miscategorized, you can report it or add the specific URL to the URL Whitelist to bypass the general category block.
Have you checked your Error Logs for "DNS response timeout" or "Invalid Authorization" to see exactly why it's dropping?
Resolving Web Filter Invalid authorization failures - KerioControl
The appliance must reach GFI's cloud categorization servers on HTTPS (TCP/443).
SSH into the Kerio Control box (or use the web admin → Diagnostics → Shell) and run:
curl -v https://download.gfi.com/
curl -v https://update.gfi.com/
Also test the license validation server:
nslookup license.gfi.com
Expected result: HTTP 200 or HTTP 403 (any response proves connectivity).
If connection fails:
Kerio Control’s web content filtering is failing: the Web Filter service shows “not activated” and URL categorization is disabled, causing unfiltered web access. This is a high-priority (hot) problem because it bypasses policy enforcement and exposes users to inappropriate or malicious content.
Older versions (pre-9.3.5 or 10.x early builds) had known issues with GFI’s cloud categorization endpoints migrating to new TLS ciphers.
Note: You need a valid maintenance contract to upgrade.
