Checkpoint has option to creat an address group object with exclusion (e.g Include 10.20.x.x/16 and exclude 10.20.30.0/24 or other subnets from supernet). Is similar option available in Palo Alto.
Negate option in PA is just to negate all source/destination.
You can't exclude in an address or address-group object. If you want this feature you would need to reach out to your SE and get a feature request put together or have your vote added to an existing request.
You are correct that negate-source and negate-destination will negate anything specified and match everything else.
@BPry Thanks for the quick reply.
I checked in expedition while converting the object group with exclusion it has converted the object group into range of address excluding the subnet which was under exclude list in the checkpoint object. It serves the purpose.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!