Software testing

Certification / test environment for access to the Internet based on Checkpoint?

Good afternoon Colleagues.
Introductory, we go to the Internet through the Checkpoint cluster, on which many rules are configured and almost all possible blades work. Policies come from Information Security, and often they stop the work of the business and have to be rolled back. A separate difficulty is the fact that we do not have our own specialist with deep knowledge and experience in Checkpoint.
The question is, I really want to make a certification / test environment in order to run changes on a group of employees (let's say 10% from different departments + IT) and only then roll them out to everyone. We wanted to link this problem with the spacing of the cluster between data centers (now it is located in one), but it is not clear how best to do it.
1. Separate cluster nodes between data centers, we get disaster tolerance, but since the cluster will remain alone, the policies will also roll on all at once.
2. Leave the cluster in the main data center, and put a separate server in the backup one, run changes on it, well, in case of an accident, it will be the main one. Apparently this is how it should be done, but we are not sure that this is the most rational option + some users will have to register another proxy + they will have to administer two solutions (the settings can scatter because everyone is always parked).
Perhaps there is a third option? I heard that inside the checkpoint there are regular tools for creating a certification environment? Is it so? I asked for support, but they are somehow cloudy :-(
Thank you!