The 'Create address object matching subnet' feature automatically creates a Firewall address object once an interface is created with the role LAN/DMZ.

Behavior:

Default setting via GUI:

In the GUI, this setting is controlled via the 'Create address object matching subnet' toggle as depicted in the image above.

1. The default role setting when creating the interface:
   1. The role of the internal interface is 'LAN', and the 'Create address object matching subnet' toggle is available and on.
   2. The role of the DMZ interface is 'DMZ', and the 'Create address object matching subnet' toggle is available and on.

1. 3. The role of the WAN interface is 'WAN' and the 'Create address object matching subnet' toggle is unavailable. The feature is not available for interface 'WAN'.
   4. The role of the other interface is 'Undefined', and the 'Create address object matching subnet' toggle is unavailable. The feature is not available for interface 'Undefined'.   

2. When already having an interface created and changing the role from Undefined/WAN to LAN/DMZ, the GUI shows 'Create address object matching subnet' toggle, but the default toggle setting will be automatically disabled in v7.0 and automatically enabled in v7.2.4+. Admin can enable/disable it via the GUI toggle and create the interface-subnet address.

Default setting via CLI:

The default setting via CLI is slightly different since CLI does not have the 'Create address object matching subnet' enable/disable toggle setting.

V7.0.x,v 7.2.0-7.2.3:

1. The default role setting when creating the interface:
   1. The role of the internal interface is 'LAN', and a new interface address object is not created automatically with the interface.
   2. The role of the DMZ interface is 'DMZ', and a new interface address object is not created automatically with the interface.
   3. The role of the WAN interface is 'WAN,' and a new interface address object is not created automatically with the interface.
   4. The role of the other interface is 'Undefined' and a new interface address object is not created automatically with the interface.
2. When already having an interface created and changing the role from Undefined/WAN to LAN/DMZ, a new interface address object is not created automatically.

v7.2.4+:

1. The default role setting when creating the interface:
   1. The role of the internal interface is 'LAN' and a new interface address object is created automatically with the interface.
   2. The role of the DMZ interface is 'DMZ' and a new interface address object is not created automatically with the interface.
   3. The role of the WAN interface is 'WAN' and a new interface address object is not created automatically with the interface.
   4. The role of the other interface is 'Undefined' and a new interface address object is not created automatically with the interface.
2. When already having an interface created and changing the role from Undefined/WAN/DMZ to LAN, a new interface address object is created automatically.

The interface created automatically looks something like the below:

edit "interface_name address"
    set uuid 4e4f34a6-2e09-51ef-30f0-c77958e3e176
    set type interface-subnet
    set subnet 1.2.3.4 255.255.255.0
    set interface "port1"
next

Note: If the interface address changes, the subnet of the address object will update dynamically.

Important Note:

When an interface has an address object of type 'interface-subnet' automatically or manually created as above, it is not possible to assign this interface as 'ha-mgmt-interface. Remove the interface firewall address object before assigning this interface as 'ha-mgmt.-interface'.

This scenario also works similarly when adding an interface as a member in the switch-interface command. It will not be possible to add the newly created interface if that feature is enabled, as it will create a reference. Therefore, it will not be able to add that interface as a member to the switch-interface.