Custom deny rule groups and rules can be edited on the global deny rule page (Application Firewall -> Deny Rules). To add a new custom deny rule group, click on the "+" button in the table "Custom Deny Rule Groups" and provide a unique name for the group. To add a custom rule to a custom group, click on the "+" button on the right inside the group. Rules are removed from a group by clicking on the "-" button right next to them.
When clicking the "-" button, the rule gets immediately deleted without any further confirmation. If you deleted a rule by mistake, you can reload the last saved or activated configuration under "Configuration Files" to recover the previous configuration.
Individual deny rules can be set to operate in log-only mode. In log-only mode, requests violating the rule are not blocked. The corresponding block log entry is created, but the request is still passed to the back-end server. Use the "Log only" checkbox on a deny rule group header to quickly enable/disable the log-only mode for all rules in the group.