If you don't want any possibility RFC leaks after refresh.
After database reset and rename, before you startsap for the first time use the sqlplus tool (or equivalent for your Database)
sqlplus / as sysdba
Step 1: Backup rfcdes table.
SQL> create table sapr3.rfcdes_sav as select * from sapr3.rfcdes;
Step 2: Update all entries, including locked RFC entries
SQL> update sapr3.rfcdes set rfcoptions=replace(rfcoptions,'H=','H=disabledforqa.');
SQL> commit;
This will change all hostnames to for example "H=disabledforqa.150.45.152.140,S=00,M=110,L=E,v=57F23915472A221E2149D13B5317,u=Y" which will effectively block any external access.
Step 3: Startsap (normally with rdisp/wp_no_btc = 0 )
Step 4: Using /nsm59 change only those RFC's needed for new system
Reversal:
SQL> update sapr3.rfcdes set rfcoptions=replace(rfcoptions,'H=disabledforqa.','H=');