AFM Rule Evaluation in Virtual Server Context Default Allow Problem

I have several virtual server context AFM policies that include a deny any any (which I created), but the default allow any any rule (virtual server context is set to ADC mode) is still showing hits. My allow rules combined with my deny any any should cover all possible traffic, leaving none hitting the default allow, so this makes no sense.

 

I see another user, JWhitesPro, has asked this same question and not gotten any satisfactory response: https://devcentral.f5.com/questions/afm-rule-evaluation-47469

 

I've looked through many articles and cannot find an answer for this. My colleague has also had a case open with support for months and we haven't found an answer.

 

Any help would be greatly appreciated.

 

Running version 12.1.1 hotfix 2.