yup.. Spent 1 day with a possible bug.. when creating a policy with IPSEC, in the GUI I enabled the checkbox that the remote end can initiate the VPN (as usual), but in the CLI for that same policy the enable outbond was set to disable... so he could encrypt towards me, but me to him not.. the policy was simply skipped.. When trying to uncheck the feature in the GUI you get an command message saying something about Invalid something, cannot remember. Just be aware of this, it wasted our day here..
No problems here, a pair of FGT3240C and FGT300D was upgraded. We had issues in our FGT3240C where only one address would failed to match the fwpoicyid but if we "swack" that vdom to the 2nd cluster member it would work. So that was why we jumped from 5.2.11 to 5.2.13 in our multi-vdom FGT-cluster.