OaaS creates wildcard allow policies for the tunnel overlays on the spoke FortiGates. For some cases, these policies do not provide the necessary granularity to restrict overlay traffic to specific subnets or hosts.

OaaS will not affect any other FortiGate configuration settings and will only create and modify configuration settings that it generated. Therefore, the FortiGate spoke administrator is free to add firewall policies and other configuration settings as needed that only reference these specific configuration settings created by OaaS:

• oaas_lan_zone defined in config system zone

• oaas_overlay defined in config zone within config system sdwan

• oaas_corp_network defined in config firewall addrgrp

However, to ensure proper operation of OaaS with regards to topology changes and updates, ensure that you do not reference any other OaaS configuration settings in firewall policies and other configuration settings that you have added after installing settings orchestrated from OaaS.