The 'Create address object matching subnet' feature automatically creates a Firewall address object once an interface is created with the role LAN/DMZ.

Behavior.

Default setting via GUI:

In GUI, this setting is controlled via the 'Create address object matching subnet' toggle as depicted in the image above.

1. Default role setting when creating the interface:
   1. The role of the internal interface is 'LAN' and the 'Create address object matching subnet' toggle is available and on.
   2. The role of the DMZ interface is 'DMZ' and the 'Create address object matching subnet' toggle is available and on.
   3. The role of the WAN interface is 'WAN' and the 'Create address object matching subnet' toggle is unavailable.
   4. The role of the other interface is 'Undefined' and the 'Create address object matching subnet' toggle is unavailable.
2. When already having an interface created and changing the role from Undefined/WAN to LAN/DMZ, GUI shows 'Create address object matching subnet' toggle, but the default toggle setting will be seen disabled in v7.0 and enabled in v7.2.4+. Admin can enable/disable it via the GUI toggle and create interface-subnet address.

Default setting via CLI:

The default setting via CLI is slightly different since CLI does not have the 'Create address object matching subnet' enable/disable toggle setting.

V7.0.x,v 7.2.0-7.2.3:

1. Default role setting when creating the interface:
   1. The role of the internal interface is 'LAN' and a new interface address object is not created automatically with the interface.
   2. The role of the DMZ interface is 'DMZ' and a new interface address object is not created automatically with the interface.
   3. The role of the WAN interface is 'WAN' and a new interface address object is not created automatically with the interface.
   4. The role of the other interface is 'Undefined' and a new interface address object is not created automatically with the interface.
2. When already having an interface created and changing the role from Undefined/WAN to LAN/DMZ, a new interface address object is not created automatically.

v7.2.4+:

1. Default role setting when creating the interface:
   1. The role of the internal interface is 'LAN' and a new interface address object is created automatically with the interface.
   2. The role of the DMZ interface is 'DMZ' and a new interface address object is not created automatically with the interface.
   3. The role of the WAN interface is 'WAN' and a new interface address object is not created automatically with the interface.
   4. The role of the other interface is 'Undefined' and a new interface address object is not created automatically with the interface.
2. When already having an interface created and changing the role from Undefined/WAN/DMZ to LAN, a new interface address object is created automatically.

The interface created automatically looks something like the below:

edit "interface_name address"
    set uuid 4e4f34a6-2e09-51ef-30f0-c77958e3e176
    set type interface-subnet
    set subnet 1.2.3.4 255.255.255.0
    set interface "port1"
next

Important Note:

When an interface has an address object of type 'interface-subnet' automatically or manually created as above, it is not possible to assign this interface as 'ha-mgmt-interface. Remove the interface firewall address object before assigning this interface as 'ha-mgmt.-interface'.

This scenario also works similarly when adding an interface as a member in the switch-interface command. It will not be possible to add the newly created interface if that feature is enabled as it will create a reference. Therefore it will not be able to add that interface as a member to the switch-interface.

Related document:

system switch-interface | FortiGate / FortiOS 6.2.1 | Fortinet Document Library