Here's how you do it:
Create a new custom application on UDP ports 500 and 4500 to pass IKE and NAT-T traffic:
Policy -> Rule Elements -> Applications
Click the '+' sign to add a new Application
TCP/UDP is selected by default. Type '500,4500' in the 'UDP Ports' text box
Create a new Access Control Rule.
In the 'Applications' section choose the new application you created for UDP ports 500/4500. You must also select the built-in application called 'IPSec/ESP' to pass the 'ESP/protocol 50' (phase 2) traffic. You will have two applications in this rule then.
Select your Source and Destination Zones accordingly. If you choose <Any> for the Source Zone it may cause the VPNs that terminate on the external side of the firewall to stop working, so choose accordingly.
Save this rule. Move it above the Deny All rule.
All services at version 8.x are stateful, so you do not need a bi-directional service (they do not exist any longer) and you do not need a 'return rule' for the response traffic to pass back through the firewall.
Thanks so much!