Leo stared at the blinking green cursor on his terminal, the words "Kerio Control: Web Filter not activated. Categorization is disabled." burning like a warning flare.
He was the sysadmin at a small, progressive high school, "The Horizon Academy." The school board had just approved a "responsible digital citizenship" curriculum, which meant Leo was supposed to disable the old, draconian web filter. Their theory: teach kids to self-regulate, not just block them. Leo’s job was to make the network functional but unfiltered.
But the Kerio Control box was ancient, a cranky little server that had been patched, rebooted, and cursed at for five years. When Leo clicked "Save" on the new, filter-less policy, the system didn't just turn off protection—it threw an error. Specifically:
"Kerio Control: Web Filter not activated. Categorization is disabled."
Leo shrugged. That was the goal, right?
He was wrong.
Monday, 8:15 AM
The first wave was innocent. A freshman in Ms. Albright’s history class searched for "Roman Empire engineering." Without categorization, the filter didn't know if this was "Education" or "Weapons." The system defaulted to a limbo state—it let everything through, but it also forgot how to cache or prioritize.
The student’s query hit the main server, then bounced to an ad network, then to a CDN in Moldova, then back. The round trip took 14 seconds. Ms. Albright’s smartboard froze, displaying a spinning wheel of death over a pixelated image of a Roman aqueduct.
Tuesday, 10:20 AM
Mr. Henderson in the library noticed it next. Students researching "endangered species" were being served ads for exotic leather boots. Without content categorization, the traffic shaper had no idea what was payload and what was noise. The school’s 500 Mbps pipe was suddenly acting like DSL.
"Why is YouTube buffering?" a student whined.
"It's not YouTube," Leo muttered, pulling up Kerio’s raw logs. The logs were a screaming kaleidoscope of IP addresses: 45% legitimate school traffic, 55% botnets, cryptominers, and zombie click-farms that had slipped in because no filter was there to blacklist known malicious domains.
Kerio wasn't just a wall; it was a traffic cop. And the cop had gone home.
Wednesday, 1:00 PM – The Boiling Point
The new AI-powered grading platform, "GradeSwift," went down. Every teacher in the building lost their progress reports. The cause? Without bandwidth categorization, a single student’s background torrent client (which he thought he’d closed) opened 8,000 concurrent connections to a seedbox in Luxembourg. Kerio, confused, treated the torrent packets with the same priority as the principal’s Zoom call with the district superintendent.
The call dropped. The superintendent was mid-sentence.
Then came the other problem. Since categorization was disabled, the "safe search" enforcement was also off. A seventh-grader innocently searching for "swim team" was shown results that would make a sailor blush. The filter wasn't blocking bad things; it also wasn't blocking inappropriate things that looked like innocent things. Leo stared at the blinking green cursor on
The principal, Dr. Evans, stormed into Leo's office. "Leo. A parent just called. Their child searched for 'how to build a birdhouse' and got a pop-up for… well, for things you build with birdseed, but not that kind."
Leo stared at the Kerio dashboard. The message was still there, mocking him:
"Web Filter not activated. Categorization is disabled."
He finally understood. "Disabled" didn't mean "open and free." It meant "chaotic and blind." The filter’s absence hadn't created a utopia of self-regulation; it had created a digital jungle where nothing worked right, everything was slow, and the worst stuff rose to the top because there was nothing to push it down.
The Fix
That night, Leo didn't turn the filter back on. Instead, he wrote a 17-line script. It didn't enable categorization. It did something smarter. He set Kerio to a "Log-Only" mode with a custom rule: If categorization is disabled, then throttle all un-categorized traffic to 1kbps and route it to a local cache that updates every 10 seconds.
It was a hack, a Frankenstein solution. But when he hit "Apply," the terminal blinked once.
Status: Web Filter – Custom Policy. Categorization – Bypassed. Work – Resume.
The spinning wheels stopped. The principal’s Zoom reconnected. The torrent client was reduced to a sad, slow trickle. And the seventh-grader’s search for "swim team" now just showed photos of a local pool's schedule.
Leo leaned back. The Kerio box hummed quietly. It wasn't fixed. It was working—despite being broken. And sometimes, that’s the best a sysadmin can hope for.
He printed the error message from Monday and taped it to his monitor. It became his motto: "Not activated. Disabled. But it works."
Because in the end, a good admin doesn't need the filter. He just needs the feeling of the filter—and a really clever script.
Step 1: Verify the License
The Web Filter is a premium feature. If your license does not include it, or if the license has expired, the categorization engine will shut down.
- Log in to the Kerio Control Administration Console.
- Navigate to Configuration > Licenses.
- Look for the Kerio Control Web Filter entry.
- Does it have a green checkmark?
- Is the status "Active"?
- Does the license capacity cover the number of users on your network?
If the license is missing or invalid, you must upload a new license file or contact your vendor.
Conclusion
The message “Kerio Control web filter is not activated – categorization is disabled” is not a minor glitch—it signals that category-based content filtering is completely offline. Most often, the culprit is an expired license, DNS failure, or an outbound firewall rule blocking the appliance’s own traffic.
By systematically working through the eight steps outlined above—license validation, enabling the engine, checking DNS and NTP, configuring an upstream proxy, and clearing corrupted caches—you can restore full web filtering in minutes.
Remember: Cloud categorization requires the firewall itself to act as a client. Treat it like any other workstation that needs DNS, NTP, and outbound HTTPS access. With proper monitoring and preventative maintenance, you can ensure that “categorization disabled” becomes a rare event rather than a recurring headache. Monday, 8:15 AM
The first wave was innocent
Need further assistance?
Visit the official Kerio Control Knowledge Base or the GFI Community Forums. Always include your debug logs (Diagnostics → Generate Support Info) when seeking vendor support.
Last updated: 2025
Revision: 4.0
If you are encountering the error "Kerio Control Web Filter is not activated; categorization is disabled," your firewall has likely triggered a safety mechanism that pauses web filtering when it cannot reliably reach the categorization servers.
This issue is typically caused by unstable DNS connections, expired authentication tokens, or network reliability checks failing multiple times in a row. Use the following guide to troubleshoot and implement workarounds. 1. Immediate Workaround: Disable Reliability Detection
Kerio Control is designed to disable the Web Filter if it fails 10 consecutive DNS checks to reach the update servers within one minute. You can force it to ignore these failures and keep the filter active by using the SSH console. Steps to disable reliability detection:
Enable SSH: Hold the Shift key while navigating to Status > System Health in the admin interface, then click Enable SSH.
Access the Shell: Connect to your Kerio device via SSH (e.g., using PuTTY ). Run these commands:
cd /opt/kerio/winroute ./tinydbclient "update SiteFilter set DetectReliability=0" /etc/boxinit.d/60winroute restart Use code with caution.
Note: This will restart the Kerio Control service and may cause a brief internet interruption. 2. Resolve "Invalid Authorization" and Token Errors
The Web Filter uses an external service (Zvelo) which requires a valid authorization token. These tokens expire every 21 days. If your DNS settings prevent the token from renewing, categorization will be disabled.
Change DNS Forwarding: Do not use Google DNS (8.8.8.8) for all requests, as it can sometimes cause issues with Zvelo authentication.
Configure Custom Forwarding: Navigate to Configuration > DNS. Check Enable custom DNS forwarding and add a rule for *.zvelo.com to use Cloudflare (1.1.1.1) or OpenDNS (208.67.222.222) instead. 3. Fix Licensing and Activation Issues
The Web Filter requires a specific active license; without it, the module behaves as a trial and will automatically disable after 30 days.
Check Subscription Status: In the GFI Accounts Portal , verify your license is not expired.
Offline Registration: If the online activation fails due to network issues, download the license file from the Kerio Product Registration page and use the Register Offline option in the Kerio Activation Wizard.
Check Disk Space: A full disk can prevent the license file from saving. Use SSH to check disk space and clear cache files in /var/lib/firebase if necessary. 4. Troubleshooting Miscategorized or Blocked Sites
If the filter is activated but still blocking legitimate sites, you can bypass the categorization engine for specific URLs. Using Kerio Control Web Filter Step 1: Verify the License The Web Filter
When your Kerio Control Web Filter displays a "not activated" status or states that "categorization is disabled," it usually stems from a connectivity failure between your firewall and the Zvelo categorization servers.
If a simple restart doesn't fix it, follow these steps to restore functionality: 1. Resolve Connectivity & Reliability Issues
Kerio Control will disable the Web Filter if it fails to receive a DNS response from update servers 10 times in a row. This is a safety mechanism to prevent network hangs when the filter isn't "reliable."
Temporary Fix: Restart the Kerio Control appliance to restore immediate internet access.
Permanent Fix (via SSH): To prevent future automatic disabling, you must disable the DetectReliability feature: Access the Kerio Control shell via SSH. Navigate to the directory: cd /opt/kerio/winroute.
Execute this command to disable reliability detection:./tinydbclient "update SiteFilter set DetectReliability=0". Restart the engine: /etc/boxinit.d/60winroute restart. 2. Update DNS Forwarding Servers
If you are using Google's DNS (8.8.8.8), you might encounter "Invalid Authorization" errors because Zvelo key tokens expire every 21 days and may fail to refresh through these servers.
Solution: Change your custom DNS forwarding servers for *.zvelo.com to Cloudflare (1.1.1.1) or OpenDNS (208.67.222.222).
Action: Update these settings in Configuration > DNS, then reboot the appliance. 3. Verify License & Activation Status
The Web Filter requires a specific active license module. If your core license is valid but the filter is "not activated," it may be a module-specific expiration.
Check Status: Go to the Dashboard in the Kerio Control Administration interface to verify the license expiration date.
Re-enable Manually: Sometimes the filter just needs to be toggled:
Navigate to Content Filter > Applications and Web Categories. Uncheck and re-check Enable Kerio Control Web Filter. Click Apply. 4. Advanced Troubleshooting: HTTPS & Wildcards
If specific sites still aren't being categorized correctly or are blocked despite being whitelisted:
Enable HTTPS Decryption: The filter cannot categorize encrypted traffic without HTTPS decryption enabled under Content Filter > HTTPS Filtering.
Wildcard Handling: If you whitelist a domain, ensure you use a trailing wildcard (e.g., *.domain.com/*) to capture all sub-paths. Using Kerio Control Web Filter
Common Causes
There are three primary reasons why this status appears:
- Licensing Issues: The "Kerio Control Web Filter" license module is invalid, expired, or not installed.
- Connectivity Blockage: The firewall cannot reach the Kerio cloud servers due to DNS issues or restrictive firewall rules.
- Configuration Oversight: The feature was manually disabled in the advanced settings.
4. Traffic is Exempt from Filtering
If the log says categorization is disabled for a specific connection, it might be bypassed.
- Check: Go to Content Filter > Web Filter > Exceptions.
- Fix: Ensure the user, IP address, or website you are testing is not listed in the Exceptions list.
Leo stared at the blinking green cursor on his terminal, the words "Kerio Control: Web Filter not activated. Categorization is disabled." burning like a warning flare.
He was the sysadmin at a small, progressive high school, "The Horizon Academy." The school board had just approved a "responsible digital citizenship" curriculum, which meant Leo was supposed to disable the old, draconian web filter. Their theory: teach kids to self-regulate, not just block them. Leo’s job was to make the network functional but unfiltered.
But the Kerio Control box was ancient, a cranky little server that had been patched, rebooted, and cursed at for five years. When Leo clicked "Save" on the new, filter-less policy, the system didn't just turn off protection—it threw an error. Specifically:
"Kerio Control: Web Filter not activated. Categorization is disabled."
Leo shrugged. That was the goal, right?
He was wrong.
Monday, 8:15 AM
The first wave was innocent. A freshman in Ms. Albright’s history class searched for "Roman Empire engineering." Without categorization, the filter didn't know if this was "Education" or "Weapons." The system defaulted to a limbo state—it let everything through, but it also forgot how to cache or prioritize.
The student’s query hit the main server, then bounced to an ad network, then to a CDN in Moldova, then back. The round trip took 14 seconds. Ms. Albright’s smartboard froze, displaying a spinning wheel of death over a pixelated image of a Roman aqueduct.
Tuesday, 10:20 AM
Mr. Henderson in the library noticed it next. Students researching "endangered species" were being served ads for exotic leather boots. Without content categorization, the traffic shaper had no idea what was payload and what was noise. The school’s 500 Mbps pipe was suddenly acting like DSL.
"Why is YouTube buffering?" a student whined.
"It's not YouTube," Leo muttered, pulling up Kerio’s raw logs. The logs were a screaming kaleidoscope of IP addresses: 45% legitimate school traffic, 55% botnets, cryptominers, and zombie click-farms that had slipped in because no filter was there to blacklist known malicious domains.
Kerio wasn't just a wall; it was a traffic cop. And the cop had gone home.
Wednesday, 1:00 PM – The Boiling Point
The new AI-powered grading platform, "GradeSwift," went down. Every teacher in the building lost their progress reports. The cause? Without bandwidth categorization, a single student’s background torrent client (which he thought he’d closed) opened 8,000 concurrent connections to a seedbox in Luxembourg. Kerio, confused, treated the torrent packets with the same priority as the principal’s Zoom call with the district superintendent.
The call dropped. The superintendent was mid-sentence.
Then came the other problem. Since categorization was disabled, the "safe search" enforcement was also off. A seventh-grader innocently searching for "swim team" was shown results that would make a sailor blush. The filter wasn't blocking bad things; it also wasn't blocking inappropriate things that looked like innocent things.
The principal, Dr. Evans, stormed into Leo's office. "Leo. A parent just called. Their child searched for 'how to build a birdhouse' and got a pop-up for… well, for things you build with birdseed, but not that kind."
Leo stared at the Kerio dashboard. The message was still there, mocking him:
"Web Filter not activated. Categorization is disabled."
He finally understood. "Disabled" didn't mean "open and free." It meant "chaotic and blind." The filter’s absence hadn't created a utopia of self-regulation; it had created a digital jungle where nothing worked right, everything was slow, and the worst stuff rose to the top because there was nothing to push it down.
The Fix
That night, Leo didn't turn the filter back on. Instead, he wrote a 17-line script. It didn't enable categorization. It did something smarter. He set Kerio to a "Log-Only" mode with a custom rule: If categorization is disabled, then throttle all un-categorized traffic to 1kbps and route it to a local cache that updates every 10 seconds.
It was a hack, a Frankenstein solution. But when he hit "Apply," the terminal blinked once.
Status: Web Filter – Custom Policy. Categorization – Bypassed. Work – Resume.
The spinning wheels stopped. The principal’s Zoom reconnected. The torrent client was reduced to a sad, slow trickle. And the seventh-grader’s search for "swim team" now just showed photos of a local pool's schedule.
Leo leaned back. The Kerio box hummed quietly. It wasn't fixed. It was working—despite being broken. And sometimes, that’s the best a sysadmin can hope for.
He printed the error message from Monday and taped it to his monitor. It became his motto: "Not activated. Disabled. But it works."
Because in the end, a good admin doesn't need the filter. He just needs the feeling of the filter—and a really clever script.
Step 1: Verify the License
The Web Filter is a premium feature. If your license does not include it, or if the license has expired, the categorization engine will shut down.
- Log in to the Kerio Control Administration Console.
- Navigate to Configuration > Licenses.
- Look for the Kerio Control Web Filter entry.
- Does it have a green checkmark?
- Is the status "Active"?
- Does the license capacity cover the number of users on your network?
If the license is missing or invalid, you must upload a new license file or contact your vendor.
Conclusion
The message “Kerio Control web filter is not activated – categorization is disabled” is not a minor glitch—it signals that category-based content filtering is completely offline. Most often, the culprit is an expired license, DNS failure, or an outbound firewall rule blocking the appliance’s own traffic.
By systematically working through the eight steps outlined above—license validation, enabling the engine, checking DNS and NTP, configuring an upstream proxy, and clearing corrupted caches—you can restore full web filtering in minutes.
Remember: Cloud categorization requires the firewall itself to act as a client. Treat it like any other workstation that needs DNS, NTP, and outbound HTTPS access. With proper monitoring and preventative maintenance, you can ensure that “categorization disabled” becomes a rare event rather than a recurring headache.
Need further assistance?
Visit the official Kerio Control Knowledge Base or the GFI Community Forums. Always include your debug logs (Diagnostics → Generate Support Info) when seeking vendor support.
Last updated: 2025
Revision: 4.0
If you are encountering the error "Kerio Control Web Filter is not activated; categorization is disabled," your firewall has likely triggered a safety mechanism that pauses web filtering when it cannot reliably reach the categorization servers.
This issue is typically caused by unstable DNS connections, expired authentication tokens, or network reliability checks failing multiple times in a row. Use the following guide to troubleshoot and implement workarounds. 1. Immediate Workaround: Disable Reliability Detection
Kerio Control is designed to disable the Web Filter if it fails 10 consecutive DNS checks to reach the update servers within one minute. You can force it to ignore these failures and keep the filter active by using the SSH console. Steps to disable reliability detection:
Enable SSH: Hold the Shift key while navigating to Status > System Health in the admin interface, then click Enable SSH.
Access the Shell: Connect to your Kerio device via SSH (e.g., using PuTTY ). Run these commands:
cd /opt/kerio/winroute ./tinydbclient "update SiteFilter set DetectReliability=0" /etc/boxinit.d/60winroute restart Use code with caution.
Note: This will restart the Kerio Control service and may cause a brief internet interruption. 2. Resolve "Invalid Authorization" and Token Errors
The Web Filter uses an external service (Zvelo) which requires a valid authorization token. These tokens expire every 21 days. If your DNS settings prevent the token from renewing, categorization will be disabled.
Change DNS Forwarding: Do not use Google DNS (8.8.8.8) for all requests, as it can sometimes cause issues with Zvelo authentication.
Configure Custom Forwarding: Navigate to Configuration > DNS. Check Enable custom DNS forwarding and add a rule for *.zvelo.com to use Cloudflare (1.1.1.1) or OpenDNS (208.67.222.222) instead. 3. Fix Licensing and Activation Issues
The Web Filter requires a specific active license; without it, the module behaves as a trial and will automatically disable after 30 days.
Check Subscription Status: In the GFI Accounts Portal , verify your license is not expired.
Offline Registration: If the online activation fails due to network issues, download the license file from the Kerio Product Registration page and use the Register Offline option in the Kerio Activation Wizard.
Check Disk Space: A full disk can prevent the license file from saving. Use SSH to check disk space and clear cache files in /var/lib/firebase if necessary. 4. Troubleshooting Miscategorized or Blocked Sites
If the filter is activated but still blocking legitimate sites, you can bypass the categorization engine for specific URLs. Using Kerio Control Web Filter
When your Kerio Control Web Filter displays a "not activated" status or states that "categorization is disabled," it usually stems from a connectivity failure between your firewall and the Zvelo categorization servers.
If a simple restart doesn't fix it, follow these steps to restore functionality: 1. Resolve Connectivity & Reliability Issues
Kerio Control will disable the Web Filter if it fails to receive a DNS response from update servers 10 times in a row. This is a safety mechanism to prevent network hangs when the filter isn't "reliable."
Temporary Fix: Restart the Kerio Control appliance to restore immediate internet access.
Permanent Fix (via SSH): To prevent future automatic disabling, you must disable the DetectReliability feature: Access the Kerio Control shell via SSH. Navigate to the directory: cd /opt/kerio/winroute.
Execute this command to disable reliability detection:./tinydbclient "update SiteFilter set DetectReliability=0". Restart the engine: /etc/boxinit.d/60winroute restart. 2. Update DNS Forwarding Servers
If you are using Google's DNS (8.8.8.8), you might encounter "Invalid Authorization" errors because Zvelo key tokens expire every 21 days and may fail to refresh through these servers.
Solution: Change your custom DNS forwarding servers for *.zvelo.com to Cloudflare (1.1.1.1) or OpenDNS (208.67.222.222).
Action: Update these settings in Configuration > DNS, then reboot the appliance. 3. Verify License & Activation Status
The Web Filter requires a specific active license module. If your core license is valid but the filter is "not activated," it may be a module-specific expiration.
Check Status: Go to the Dashboard in the Kerio Control Administration interface to verify the license expiration date.
Re-enable Manually: Sometimes the filter just needs to be toggled:
Navigate to Content Filter > Applications and Web Categories. Uncheck and re-check Enable Kerio Control Web Filter. Click Apply. 4. Advanced Troubleshooting: HTTPS & Wildcards
If specific sites still aren't being categorized correctly or are blocked despite being whitelisted:
Enable HTTPS Decryption: The filter cannot categorize encrypted traffic without HTTPS decryption enabled under Content Filter > HTTPS Filtering.
Wildcard Handling: If you whitelist a domain, ensure you use a trailing wildcard (e.g., *.domain.com/*) to capture all sub-paths. Using Kerio Control Web Filter
Common Causes
There are three primary reasons why this status appears:
- Licensing Issues: The "Kerio Control Web Filter" license module is invalid, expired, or not installed.
- Connectivity Blockage: The firewall cannot reach the Kerio cloud servers due to DNS issues or restrictive firewall rules.
- Configuration Oversight: The feature was manually disabled in the advanced settings.
4. Traffic is Exempt from Filtering
If the log says categorization is disabled for a specific connection, it might be bypassed.
- Check: Go to Content Filter > Web Filter > Exceptions.
- Fix: Ensure the user, IP address, or website you are testing is not listed in the Exceptions list.
