We have a question regarding audit requirements. We are considering restricting access to our OC console URL on our secondary hub (collector hub) servers.

Is there any impact if we block access to the OC URL on our secondary hub?

For example, would it affect device discovery or any other functionality?

Dx UIM 

If the OC URL is blown from the secondary hub and meets the port requirements [Firewall Port Reference (broadcom.com)], there shouldn't be any consequences.

However, it's important to note that the discovery_server of the primary hub needs to be able to contact the remote hubs to obtain information about the robots.

As long as this works, it's fine. You can then apply a URL blacklist, such as preventing the hub from accessing ocserverIP:80, to ensure that everything is working properly.