Thank you very much for your reply.

The reason two gateways have the same IP address is because of the customer's network environment. (I don't want this configuration.)

I plan to place one management server in the main center and one management server in the backup center and configure HA for these two management servers.

And this HA management server tries to manage the firewalls deployed in each center (main center, backup center). But these two firewalls have the same IP address. The goal is to install the same daily updated security policy on each firewall of both centers.

Each firewall in these two centers will always have the same security policy.
Therefore, even if a failure occurs in the main center, the backup center firewall will be able to enforce the latest security policy.

This is the configuration my customers want.

Are there any other configuration options that could solve the customer's needs?

It depends. It sounds like the DCs are reusing all the same subnets, but they are not stretched between them? We need to better understand why there is a requirement to use the same interface IP addresses on both sides. 

My customer has been using Check Point firewalls for a very long time. They have been using the VRRP configuration for a long time and have experience with its stability.
My guess is that they probably don't want to change the network configuration for this reason. But I can change their minds if necessary.

Currently, there are no problems with VRRP settings.

• Your primary site appears to have a cluster and the backup has a single gateway...do I understand this correctly?
  
  That's correct. The main center has two firewalls configured with VRRP. The backup center is a single firewall, and we will set the VIP of the main center firewall to be the same as the real IP of the backup center single firewall.
  
  
• Is there a non-Internet connection between the two datacenters? 
  
  This part of the network information is currently being designed.
  Normally, traffic will only pass through the main center's firewall.
  If a problem occurs at the main center, traffic will be routed to the backup center.
  
  
• What mechanism will be used to ensure the relevant IP is routed to the correct datacenter? BGP?
  
  I'm planning to talk to the customer's network administrator about this.
  
  

  We are in discussions with Check Point Local SE.
  If the customer selects Palo Alto, it is said that this issue can be clearly resolved by using panorama.
  We need to get answers to our customers as quickly as possible.

  Since they are already using Check Point products, it is likely that Check Point will be selected at this time. But we cannot rest assured.

  
  
  

Im not expert in Palo Alto by any means, been some time since I worked on it, but how can Panorama solve the routing issue you mentioned? Panorama is Palo Alto's version of CP management server, does not really do any routing, its simply there for managing palo alto firewalls and pushing changes to the same.

Andy

Panorama can manage two firewalls with the same IP configuration.

Routing issues will be designed by a network designer to ensure that there are no problems.

Is there any problem with the CheckPoint management server managing two firewalls with the same IP configuration?

A long time ago, in the old version, I saw an SK case where unexpected problems occurred when managing two firewalls with the same IP.

If thats true, thats news to me for Panorama, never heard of it before. Can it be done with Check Point? I have no clue, as I never tested myself. Logically, I dont see how that would work.

Andy

CP can do it (with some caveats, such s VPN issues I mentioned before), if they have different Mgmt IPs, but there's still no good reason for it. If it's just a routing change, there's still no need to reuse the same IPs on the backup site. If the VLANs are stretched between the two sites, you can have a 3-node ClusterXL cluster. If the sites are isolated, sharing IP addressing between the two is just making life hard for yourself. 

Also the recommended clustering tech from Check Point is ClusterXL, VRRP is considered legacy. In R82 we will be introducing a new clustering tech, ElasticXL.

From a management perspective, each managed gateway needs to have a unique IP; specifically the Main IP in the General tab of the relevant object.
For ClusterXL/VRRP clusters members, management pushes policy to each cluster member independently using the member objects Main IPs.
Assuming you use the Management IP for the backup DC gateway (which is unique), that would mean all three gateways can be managed using unique IPs.
That should work, but I would thoroughly test this in the lab first.

Definitely keep us posted if you make it work and how it was done.

Best,

Andy