Multi site Speedfusion but limiting sites connection to eachother

ok brain trust I have a central network with recourses on it. I have 4 offices outside of that network they all need to speak to the central location but no connection to each. When I create a speed fusion VPN they all start talking to each other. what is the process other then Firewall rules to stop that from happening. Its easy in other VPN types but speed fusion likes to just all to all.

On the central hub site, turn on speedfusion route isolation (its under OSPF).

Assuming that your outside nodes each have distinct network address segments, you can handle through-hub access using the firewall rules in the “Internal Network Firewall Rules” pane of the hub management. E.g., you can designate certain network segment as being trusted (using the “Grouped Networks” mechanism), and then deny traffic from sources not on any of these. I know that this is using “Firewall rules”, but it works well, and is quite simple to maintain.
Or you can invert the grouping of networks, to apply to the network address segments of the four outside offices, and then deny internal traffic sourced from them.