Kerio Control Web Filter Is Not Activated Categorization Is Disabled Hot < 360p >

Troubleshooting "Kerio Control Web Filter is Not Activated: Categorization is Disabled"

The error message "Kerio Control Web Filter is not activated; categorization is disabled" typically indicates a communication failure between your Kerio Control appliance and the external categorization servers (primarily Zvelo). When this service fails, your content rules based on web categories (like "Social Networking" or "Malware") stop functioning, potentially leaving your network exposed. Common Root Causes

DNS Failures: Kerio Control performs automatic reliability checks. If it fails to receive DNS responses 10 times in a row within one minute, it marks the Web Filter as "not reliable" and disables categorization.

Expired Authorization Tokens: Categorization relies on Zvelo key tokens that expire every 21 days. If these tokens fail to refresh, you will see an "Invalid Authorization" error in your logs.

Licensing Issues: The Web Filter requires a separate, active license. If your license has expired or is invalid, the module reverts to trial mode and eventually disables itself.

Connectivity and ISP Throttling: Some ISPs throttle frequent DNS requests to external databases like zvelo.com, causing the filter to time out and disable itself. Step-by-Step Solutions 1. Fix DNS Forwarding and Reachability

Incorrect DNS settings often block the appliance from reaching update servers.

Use Reliable DNS Forwarders: It is recommended to use Cloudflare (1.1.1.1) or OpenDNS (208.67.222.222) as custom DNS servers specifically for *.zvelo.com and *.kerio.com URLs.

Test Reachability: Verify if the appliance can ping update servers like bdupdate.kerio.com or prod-update.kerio.com. If you can only ping them by IP address (e.g., 35.168.223.144), your DNS configuration is the primary issue. 2. Disable Reliability Detection (SSH Method)

If your Internet connection is stable but the "Reliability Detection" feature is being too aggressive, you can disable it via the Kerio Control console.

Access your Kerio Control console via SSH (e.g., using PuTTY). Navigate to the directory: cd /opt/kerio/winroute.

Execute the following command to disable the reliability check:./tinydbclient "update SiteFilter set DetectReliability=0". Restart the service: /etc/boxinit.d/60winroute restart. 3. Resolve Invalid Authorization

If logs show an "Invalid Authorization" error, your Zvelo token may be stuck or expired.

Check the /opt/kerio/winroute/winroute.cfg file via SSH and ensure the DiaServerUrl value is set to v4.url.zvelo.com.

Reboot the Appliance: After updating DNS settings, a reboot is often necessary to refresh the token transfer from Kerio internal servers. 4. Verify License Status

Navigate to Configuration > License in the web administration interface.

Ensure the "Web Filter" module is listed as active. If it shows as "Expired" or "Not Licensed," you must renew your subscription to reactivate categorization.

If you have a license but it won't load, check for disk space issues. You may need to clear cache files from the /var/kerio/webctrl/ folder to free up room for the license file. Temporary Workarounds Troubleshooting "Kerio Control Web Filter is Not Activated:

While troubleshooting, you can maintain some control by using URL-based rules instead of category-based ones. Since categorization is disabled, rules that rely on "Applications and Web Categories" will fail, but manual rules (e.g., blocking facebook.com directly) will still work.

Are you seeing specific "DNS response timeout" or "Invalid Authorization" errors in your Kerio Control Error logs?

Resolving Web Filter Invalid authorization failures - KerioControl

The error "Kerio Control Web Filter is not activated / categorization is disabled" typically occurs when the firewall cannot reach the Zvelo categorization servers or when the license token has expired. This is often triggered by DNS failures, where the system marks the filter as "unreliable" after multiple failed connection attempts. Core Troubleshooting Steps 1. Verify DNS and Reachability

Kerio Control uses DNS queries to reach its update and categorization servers. If your ISP or current DNS configuration is slow or blocking these requests, the filter will deactivate.

Change DNS Forwarders: Avoid using Google DNS (8.8.8.8) for Zvelo categorization as it can cause "Invalid Authorization" errors. Instead, use Cloudflare (1.1.1.1) or OpenDNS (208.67.222.222).

Check DNS Reliability: Kerio deactivates the filter if 10 consecutive DNS queries fail within one minute. Usually, it tries to re-enable itself after one hour, but a manual restart is often faster. 2. Resolve "Invalid Authorization" Failures

If your error log specifically mentions "Invalid Authorization," it likely means the Zvelo key token has expired (tokens typically last 21 days).

Verify DiaServerUrl: Ensure the value v4.url.zvelo.com is correctly set in the configuration file located at /opt/kerio/winroute/winroute.cfg.

Clear the Cache: Sometimes a simple reboot after changing DNS settings is required to force a new token request. 3. Advanced SSH Fix (Disable Reliability Detection)

If the filter keeps disabling due to minor network fluctuations, you can disable the "Reliability Detection" feature via the Kerio Control Console: Connect to your Kerio Control appliance via SSH. Navigate to the directory: cd /opt/kerio/winroute.

Execute the following command to disable the reliability check:./tinydbclient "update SiteFilter set DetectReliability=0". Restart the service: /etc/boxinit.d/60winroute restart. Common Configuration Pitfalls

License Expiration: Ensure your Kerio Control Web Filter license is active. Without a valid subscription, the module defaults to a trial state and eventually disables itself.

Guest Network Limitations: Note that the Web Filter is disabled by default for the Guest Interface to allow users to reach the welcome page without authentication.

HTTPS Decryption: For categorization to work accurately on secure sites, ensure HTTPS Filtering (decrypt and filter) is enabled under Content Filter > HTTPS Filtering.

Do you need the specific SSH commands to check your current license status or verify the winroute.cfg contents?

Web Filter categorization disabled. Serial number: ko-197974 Install the latest version or hotfix – older

The error message "Kerio Control Web Filter is not activated, categorization is disabled" typically occurs because the firewall has failed to reach the external categorization servers (zvelo.com) multiple times, causing it to mark the service as unreliable and disable it. Immediate Fixes

Wait 1 Hour: Kerio Control is designed to automatically attempt to revert to normal operation after one hour of the error occurring.

DNS Verification: Ensure your firewall can resolve external domains. It is recommended to use Cloudflare (1.1.1.1) or OpenDNS (208.67.222.222) as custom DNS servers for *.zvelo.com URLs to avoid authorization failures.

Check License Status: If your Kerio Control or Web Filter subscription has expired, the web filter will be automatically disabled. You can check this in the Dashboard or License section of the GFI administration interface. Technical Workaround (SSH)

If the web filter remains disabled after an hour and DNS settings are correct, you can manually reset the reliability detection via SSH: Connect via SSH to your Kerio Control console.

Execute the following commands to disable the reliability check and restart the service:

cd /opt/kerio/winroute ./tinydbclient "update SiteFilter set DetectReliability=0" /etc/boxinit.d/60winroute restart Use code with caution. Copied to clipboard

Note: This forces the filter to stay active even if it has trouble reaching the update servers. Configuration Check

Navigate to Content Filter > Applications and Web Categories. Ensure Enable Kerio Control Web Filter is checked.

Verify that you have at least one Content Rule active that requires categorization; the filter often only "activates" when a rule is processing traffic. Using Kerio Control Web Filter - KerioControl - GFI

This specific error in Kerio Control—where the web filter is shown as not activated and categorization is disabled—typically stems from connectivity or authorization issues with the third-party categorization service, Zvelo. Common Causes

DNS Failures: Kerio Control sends periodic DNS check queries to update servers. If these fail 10 times in a row, the web filter is disabled for reliability reasons.

Invalid Authorization: This often occurs due to an expired Zvelo key token (which lasts 21 days) or incorrect DNS forwarding settings.

DNS Forwarding Issues: Using Google’s DNS (8.8.8.8) as a primary forwarding server can sometimes interfere with Zvelo token transfers. Recommended Solutions

The GFI Support Center suggests several methods to resolve this: Adjust DNS Forwarding:

Switch your custom DNS forwarding servers to Cloudflare (1.1.1.1) or OpenDNS (208.67.222.222).

Ensure the DiaServerUrl value in your configuration is set to v4.url.zvelo.com. Troubleshooting checklist (step-by-step)

Disable Reliability Detection (SSH Method):If categorization remains disabled due to intermittent connection issues, you can manually override the reliability check:

Access the Kerio Control console via SSH (holding Shift while clicking Status > System Health to enable it). Execute these commands:

cd /opt/kerio/winroute ./tinydbclient "update SiteFilter set DetectReliability=0" /etc/boxinit.d/60winroute restart Use code with caution. Copied to clipboard

This stops Kerio from automatically disabling the filter when it loses connection to the update servers. Manual Activation Check:

In the administration interface, navigate to Content Filter > Applications and Web Categories and ensure Enable Kerio Control Web Filter is checked.

Web Filter categorization disabled. Serial number: ko-197974

Step 5 – Update Kerio Control

  • Install the latest version or hotfix – older builds may have categorization bugs.

Troubleshooting checklist (step-by-step)

  1. Check Web Filter status

    • In the admin UI, go to Security > Web Filter (or Configuration > Content Filter) and confirm status message and any error text.

  2. Verify license/subscription

    • Admin UI: System > License (or Activation) — confirm Web Filter / Categorization is active and not expired.
    • If expired, renew license; if active, note license ID for support.

  3. Confirm connectivity to update servers

    • From Kerio appliance/host, test outbound connectivity (DNS and HTTPS) to categorization/update endpoints. Example tests:
      • ping or traceroute to update server hostnames.
      • curl/GET to the update/categorization URL (if allowed).
    • Ensure firewall/NAT rules permit outbound HTTPS to the categorization service.

  4. Check system time

    • Ensure device clock and timezone are correct (System > Date & Time). TLS validation can fail if time is wrong.

  5. Examine logs for errors

    • System and Web Filter logs in admin UI and appliance syslog for errors such as “license invalid”, “failed to download categories”, TLS handshake errors, or DB load failures.

  6. Check disk space / resources

    • Verify available disk space (especially /var or DB paths) and memory; clean up if low.

  7. Restart Web Filter services

    • Restart only the content/web filter service if possible; otherwise, schedule a controlled restart of Kerio Control.
    • Note: perform during a maintenance window if production-sensitive.

  8. Force category database update

    • In UI, trigger “Update” for category database if available. Monitor logs for success/failure.

  9. Verify policies and binding

    • Confirm web-filtering policies are enabled and bound to the correct traffic/users/interfaces.
    • Confirm fallback/default action is not “allow” when categorization unavailable (consider setting to “block” temporarily).

  10. Test from client

    • Use a client behind the appliance to request known categorized sites and confirm whether they are blocked/logged.

  11. Check for known bugs / version issues

    • Review Kerio Control release notes for recent versions and advisories — consider rolling back or upgrading if a bug is implicated.

  12. Contact vendor support

    • If subscription valid and troubleshooting fails, collect logs, configuration export, license ID, timestamps and open a support ticket.

Step 1 – Renew or Reapply License

  • Purchase a valid Kerio Control Web Filter subscription.
  • Upload new license via Administration → Licenses → Add License.
  • Restart web filter service after license activation.

Step 3: Fix the "Hot" State by Resetting the Filter Engine

If the service is stuck in a frantic "hot" retry loop, force a reset:

  1. Stop the Web Filter service:
    • In the admin interface: Configuration > Web Filter > Uncheck "Enable Web Filter."
    • Apply the change.
  2. Clear the local cache:
    • SSH into the Kerio server (Linux or Windows).
    • Navigate to the data directory (/var/kerio/winroute/extensions/urldb/ or C:\Program Files\Kerio\WinRoute\extensions\urldb\).
    • Delete the contents of the cache folder.
  3. Start the service:
    • Re-check "Enable Web Filter."
    • Wait 60 seconds. The "hot" error should change to "Downloading database" and then "Active."