Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


forwarding-mode (Security Content Security Policy)


Hierarchy Level


The default configuration for anti-virus is to use the continuous delivery function (CDF). It holds the last packet and sends out all other packets. It saves system memory and makes the packet transmission faster. This mode sends the last packet if the result is “permit” and sends RST message to both the client and the server to reset the connection if the result is “drop”. In CDF mode, you may save an incomplete infected file because it only holds the last packet and sends out others. This file could be executable and harmful, for example, an incomplete script file. CDF mode does not support Mail protocols. Change to hold mode to hold all the packets until you get the final result. Configure inline-tap mode to permit the traffic even if it is infected. This mode is off by default. You can set the hold and inline-tap mode separately or simultaneously. When you set both modes simultaneously, inline-tap over-rules the hold mode and permits the traffic.

To delete hold mode use #delete security utm default-configuration anti-virus forwarding-mode hold, and to delete inline-tap mode use #delete security utm default-configuration anti-virus forwarding-mode inline-tap.


hold —Hold mode (hold file until analysis is complete, default is CDF mode).

inline-tap —Detect-only mode without blocking (default is off).

The statements are explained separately. See CLI Explorer.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 20.2.