Configuring the Content Filter


Watch the Configuring the content filter video.

In the content filter, Kerio Control defines the types of web activities that are allowed by users on your network. The content filter blocks:

This filtering on different network layers is easily configured by a single set of rules.

Here are the main purposes of content filtering:



Kerio Control does not apply content rules to the reverse proxy traffic.

Configuring content rules

The Content Rules table includes several predefined rules.

Each rule is compound from several parts. Each part is represented with a column in the Content Rules table. Here there are the most important parts of each rule:

In the Content Filter table, you can see:

  • Checkboxes which enable/disable rules (1)
  • Short descriptions of each rule (2)
  • Rules are greyed out when they are inactive(3). Kerio Control Web Filter or the application awareness feature is inactive on the Content Filter > Applications and Web Categories tab.
  • The default rule allows all content (4)
  • Green color highlights allowing rules (5)
  • Red color highlights denying and dropping rules (6)
  • The rule order is important. Use the arrows to adjust the order of rules. For details, see Ordering rules (7)
  • Color your own rules for clear arrangement (8)
  • More Actions (9) allows you to:
  • Duplicate the highlighted rule
  • Change color of the highlighted rule
  • Change the description the highlighted rule
  • Edit the time range of the highlighted rule

Duplicating content rules

If you want to create a new content rule, try to find a similar one and duplicate it first. Duplicating a rule and adjusting some parameters is quicker than creating the new rule.

Adding new rules

  1. In the administration interface, go to Content Filter.
  2. On tab Content Rules, click Add.
  3. In table, type a name of the rule in the newly created line.

  1. Double-click the Detected content column and select what type of the content should be filtered (see details in Detecting content).
  2. Double-click the Source column and select users and/or IP addresses.
  3. Double-click the Action column and fill in the dialog box (see details in Setting actions)
  4. (Optional) Set the valid time — you can set a time interval for applying the rule. Create time intervals in Definitions > Time Ranges (see article Creating time ranges in Kerio Control) then you can select the time interval in the Content Rules table.
  5. Click Apply.

Detecting content

In the Content Rule - Detected Content dialog box, click:

  • Applications and Web Categories — for pages sorted in the selected categories by the Kerio Control Web Filter and the application awareness for pages sorted in the selected categories by the application detection.
  • File Name — to allow/disable the transfer of the defined file types.
  • URL and Hostname — to type any URL starting with the specified string. It is possible to use wildcards * (asterisk) and ? (question mark).
  • URL Groups — to allow/disable access to a group of web pages. For more details, read article Configuring URL groups.

Setting actions


To log all traffic matched with the rule, check Log the traffic. Each log will be written to the Filter log.

The Content Rule - Action dialog varies depending on selected action:

Action Description

Traffic allowed. With the allow rule you can create the following types of rules:

  • Skip Antivirus scanning for selected users, IP addresses or host names.
  • Skip Forbidden words filtering for selected users, IP addresses or host names.
  • Do not require authentication for selected users, IP addresses or host names.

User will be redirected to the firewall page with information that access is denied. You can:

  • redirect a user to another page


It works only for HTTP sites. Blocked HTTPS sites cannot be redirected to another URL, or to the custom denial page. The page will time out for the user.

  • type a deny text
  • send email notification. The user must have e-mail address configured in Kerio Control. The user must be authenticated to Kerio Control.


Access is denied and the user will see the page as unavailable.

Rule order

Kerio Control goes through rules from top to down and stop with the first match. Therefore, order the rules from specific to general. The most general rule, Allow other traffic, is created by default and it is placed at the bottom.

You can change the order with:

  • Arrows placed on the right side of the window
  • Drag&Drop and move rule or more rules with mouse

Unlocking rules

Privileged users can continue to filtered websites if you enable this right for them. Read Setting access rights in Kerio Control for detailed information.


Adding new URLs for automatic updates

If you start to use a new software with the automatic updates option, you must add a new URL to the content filter:

  1. Go to Content Filter and enable rule Allow automatic updates and MS Windows activation. The rule is based on the Automatic Updates URL group.

  1. Go to Definitions > URL Groups.
  2. Click Add.
  3. In the Add URL dialog, select Select existing > Automatic Updates.
  4. Type the URL for automatic update. You can use *, ? or select Use regular expression and type the URL as regular expression.

Blocking Facebook


If you have a Kerio Control Web Filter license, block Facebook or other social media with the Application awareness.

To deny Facebook, add the following rule:

  1. On the Content Rules tab, click Add.
  2. Type a name of the new rule.
  3. Double-click Detected Content.
  4. In the Content Rule - Detected Content dialog, click Add > URL and Hostname.
  5. Type into the Site field.
  6. Check option Also apply to secured connections (HTTPS). This option has exceptions written in the HTTPS filtering specifics article.

  1. Click OK.
  2. In the Content Rule - Detected Content dialog, click Add > URL and Hostname again.
  3. Type into the Site field.

  1. Select option Hostname across all protocols. Kerio Control sends DNSDomain Name System - A database enables the translation of hostnames to IP addresses and provides other domain related information. query and ensures that all IP addresses used by Facebook will be identified.
  2. Click OK.
  3. Double-click Action.
  4. In the Content Rule - Action dialog, select Deny in the Action drop-down menu.
  5. Save the settings.
  1. Click OK.
  2. Double-click Action.
  3. In the Content Rule - Action dialog, select Allow in the Action drop-down menu.
  4. Select Skip Antivirus scanning.
  5. Select Skip Forbidden words filtering.
  6. Select Do not require authentication.
  7. Save the settings.