Hi PhoneBoy,
sounds easier than it is.
This was only an example group, but not every EPG contains all hosts in the same subnet.
The ACI is managed externally and contains about 15000 EPG objects.
We will receive change request from the customer directly to implement FW rules and NAT rules with the EPG objects.
If we need to manually create each EPG object as a network group on the Check Point when it is to be used in a NAT rule and have to maintain this manually with each change on the ACI, we will have a lot of overhead.
Especially when receiving about 400 change requests a month, once the customer is productive.
I can totally understand your technical point of view, that the Access Policy will be applied before the NAT Rules and will regulate all the traffic going outbound. But we are here located in germany and the customer also, and this is all laid down in contracts, that each Access rule and also NAT rule is as precise as possible.
I hope you can understand now, which problem I am facing.
Regards
Adrian