Connect to your firewall appliance using an SSH client (like PuTTY).
nslookup updates.gfi.com curl -I https://download.kerio.com/control/categorization/latest.dat
: Some legacy licenses (e.g., Kerio Control 7.x perpetual) do not include the categorization service. You may need to upgrade to a “Content Filtering” add-on.
: Kerio Control performs automated health checks to reach its classification servers. If 10 consecutive DNS queries fail within a 60-second window, the firewall marks the backend system as unreliable and proactively disables categorization.
Use this checklist to systematically verify the fix: Connect to your firewall appliance using an SSH
If DNS fails, check your DNS settings in (try 8.8.8.8 as a secondary). If TCP connect fails, your upstream network (or ISP) is blocking these domains, or you have a routing issue.
For network administrators using the Kerio Control firewall, encountering the error is a critical issue. This error completely halts URL traffic filtering, leaving your network vulnerable to malicious websites and unauthorized content.
Navigate to and look at the License tile, or go to Status > License .
Kerio Control cannot resolve the GFI service URL. : Kerio Control performs automated health checks to
Ensure you are running the latest version of Kerio Control. Check for updates and install the latest version if necessary.
: Use a client like PuTTY to SSH into your Kerio Control appliance. Execute the Fix :
What specific of Kerio Control are you running? Are you seeing any specific error codes in the Warning or Error logs? If you want to check your system logs via the terminal, I can provide the exact SSH commands to diagnose the cloud connection.
When managing an enterprise network with , encountering the error "Kerio Control Web Filter is not activated, categorization is disabled" can severely expose your local network. This critical warning signifies that Kerio's cloud-based third-party content database (Zvelo) has stopped communicating with your firewall. If TCP connect fails, your upstream network (or
: Do not use Google's DNS (8.8.8.8) as the primary forwarder for *.zvelo.com .
If the date/time is wrong on the firewall, SSL certificates will fail, preventing connection to the web filter service. Go to System > Date & Time .
This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later.
Security certificates fail to validate if the appliance time is incorrect, resulting in disabled categorization. Go to > Advanced Options > Time Server . Check the Keep synchronized with NTP server box. Input a reliable time server (e.g., pool.ntp.org ).
This message means Kerio Control’s web filtering engine cannot categorize or block web content because the URL categorization service is offline or disabled. As a result, the Web Filter feature won’t evaluate sites by category and will either allow or block traffic only by IP/URL rules or default policy. The steps below diagnose common causes and restore categorization and web filtering.
You must be logged in to post a comment.