Looks like this is a known issue during upgrade. Those hidden firewall rules won't go away until the firewall config is updated in some way. So upgrade would go like-
1) Upgrade VCD
2) Upgrade VSM
3) Redeploy the gateway to upgrade gateway edge to version 5.1
4) Convert the firewall rules to the new format (where firewall rules don't have the interface or traffic direction)
5) Edit gateway properties and enable multi-interface mode
6) Change the firewall spec in some way, i.e. add a dummy firewall and delete it, disable and then enable the firewall, etc.
That should cause the deny rule to go away