Thanks for the prompt response.

It is unfortunate this was categorised as a bug as it is useful functionality.

Applying a NAT rule to a set of things except for a subset of those things is required sometimes.

I try this with our VPN addresses to and internal segment of our LAN and after I push policy I can no longer ping the network the destination network...does anyone have thoughts on that.  

But if you use SmartMove tool (sk97246) for Juniper to Check Point conversion, it will happily create NAT rules using groups with exclusion; I think if you decided it's a bug in one place you should not use it in another as a feature (otherwise this tool is very handy, btw, thanks). 

That might be a bug in the SmartMove tool.
Paging @yael_haker 
I'm actually curious now if rules with negated objects in NAT rules works in R81, since we made major changes to the NAT policy in this version.

No. In R81, NAT supports domain objects, security zones, updatable objects, access roles, data centers and hit count.

But not negate objects / group with exclusions.

As you wrote before, it can be achieved using no NAT rule.

Hi @Meital_Natanson is there a way to test NAT rule matching from the CLI gateway similar to fw up_execute for the Firewall/Network policy layer?

@Timothy_Hall  - no such option.

If there are issues with SmartMove - please contact us at sc@checkpoint.com

We will appreciate to get a copy of the config file in order to address this issue