just to let you know, since I found no KB Articel for this issue. Policy Push from Panorama respectively local Commit on the Firewalls ended in strange Error Message according Group Assignment to Policy.
Error: Failed to add group to id manager
Error: Failed to parse security policy
Cure comes with CLI Command: "debug user-id reset user-id-manager type user-group"
-> commit force
Works like a charme!
This can work for most commit issues as well (from my experience). I would like to add a note on what I was seeing here to maybe help others. I have "Group Mapping Settings" pushed from Panorama to my devices globally, sadly the "Groups Included List" does not work properly when pushed to devices. I have to go in and override the mappings on each device removing the include groups and adding them back in the override.
A commit force does work from the local device but when pushing the Template and Group Config you still get:
This is where the override comes in to fix this on the Panorama push. The issue here is the firewall(s) don't have the group mapped that is being used in the security policy. Again this is because Panorama does not properly populate the included groups in the Group Mapping config.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!