The exact mechanism is like below:
- Unless you changed the default behavior of FMG not to retrieve config changes made directly on the FGT devices, the new local users you configured on the device are "auto-retrieve"d by FMG and it created a new revision of device config in device DB.
- When you manually retrieved, it must have created another revision (you can check them in the revision history).
- at that time, you must have seen the policy package that includes local user config as one of objects in the package went out of sync. Because that doesn't match with the retrieved device config.
- when you re-applied the existing policy package, the existing (in the package) policies+user groups(including those local users) obviously don't include your new user(s) therefore they were removed in the device DB then at the device.
To prevent that, or what you should be always doing is, whenever you push either device config or a policy package or etc. from FMG, you should check "Install Preview" to see what would actually change with the push. At that time you should be able to realize your new users or other config would be removed if you hit the "Next" button, then back off.
After backing off, you have to configure the objects(local users) in the policy package to match what you configured on the device. Then check Install Preview again and adjust further until you're satisfied and finally push the NEW policy package.
After all of this, you've now learned you shouldn't have added users at the device but should have added them at Policy&Objects on the FMG side because it's a part of your policy package.