Negating the protocol in NAT rules has the opposite effect and creates a rule that matches that protocol instead.
# show nat destination rule 10 destination { } inbound-interface eth0 protocol !tcp source { address 192.0.2.1 } translation { address 10.91.19.10 }
The rule it creates is:
0 0 DNAT tcp -- eth0 * 192.0.2.1 0.0.0.0/0 /* DST-NAT-10 */ to:10.91.19.10
A correctly generated rule was supposed to look like:
0 0 DNAT !tcp -- eth0 * 192.0.2.1 0.0.0.0/0 to:10.91.19.10