does anyone know why there is a limitation that i cannot choose the echo-request service on the NAT rule , and also in a group in the NAT policy.
only "any" will apply NAT to echo-request packets
That is partly correct. You can build a general NAT rule and limit it with the firewall rule.
For more infos to destination nat see article R80.x Security Gateway Architecture (Logical Packet Flow).
The service column in the NAT rulebase can only take TCP/UDP services, of which ICMP is neither.
If you've properly restricted your access rulebase, this should not present a security issue.
Retrieving data ...