This ought to be possible using a combination of local L3 rules on the MX and S2S VPN FW rules. On each site you'd have to separate the networks in Vlans on the MX. Then you'll have to create a FW rule per MX that denies traffic between the two vlans, within each site. E.g. if site A uses 10.10.1.0/24 for prod, and 10.20.1.0/24, then you'd define a fw rule that denies traffic from 10.10.1.0/24 to 10.20.1.0/24 and vice versa. Then you'll have to create a rule on on Site-to-Site VPN Firewall rules which denies all traffic between 10.10.0.0/16 and 10.20.0.0/16, and one vice-versa. The rules per MX allows separation between the Vlan per site, and the S2S rules should allow for sepearation between the Prod and HA supernets.
... View more