When the ProxySG appliance is upgraded to SGOS 6.5 from 6.2, customers report that 6.5's CPU utilization of policy evaluation is much greater than in 6.2.
In one instance, a customer reported that CPU utilization increased 20% and had TCP acceptance regulation (see Customer example).
This issue occurs mainly due to new policy features in SGOS 6.4 and nested policy (see Nested policy example). To support nested policy, the policy engine changed to combine many objects in one larger condition. If all objects in the condition are simple IP addresses or subnets, there is less impact on performance, but if the nested policy contains groups inside groups, the performance impact is greater. In addition, CPU utilization increases by a few percentage points after an upgrade is expected.
Customer example
<proxy>
ALLOW condition=__CondList1URL_2ch.net_Allow url.host.substring=2ch.net
define condition __CondList1URL_2ch.net_Allow
client.address=Group05
client.address=Group07
client.address=Group12
client.address=Group13
client.address=Group14
client.address=Group19
client.address=Group20
client.address=Group22
client.address=Group23
client.address=Group27
client.address=Group32
client.address=Group38
client.address=Group81
client.address=Group90
client.address=Group91
client.address=Group96
client.address=Group97
client.address=Group98
client.address=Group99
client.address=Group101
client.address=Group127
If you still see high CPU utilization after disabling policy coverage, it is needed to change policy not to use nested condition.