REgards: Priviliged Access Management /appliance interface.
Currently it's not possible to drop traffic from an address that is not in the allow list. The only options are accept and reject. Both cases give response. So a potential attacker will always now that there is something behind the address. So it would be wiser to drop traffic from denied addresses and no response in return to mitigate scripted attacks and focussed vectors.