When the ProxySG appliance is upgraded to SGOS 6.5 from 6.2, customers report that 6.5's CPU utilization of policy evaluation is much greater than in 6.2.
In one instance, a customer reported that CPU utilization increased 20% and had TCP acceptance regulation (see Customer example).
This issue occurs mainly due to new policy features in SGOS 6.4 and nested policy (see Nested policy example). To support nested policy, the policy engine changed to combine many objects in one larger condition. If all objects in the condition are simple IP addresses or subnets, there is less impact on performance, but if the nested policy contains groups inside groups, the performance impact is greater. In addition, CPU utilization increases by a few percentage points after an upgrade is expected.
ALLOW condition=__CondList1URL_2ch.net_Allow url.host.substring=2ch.net
define condition __CondList1URL_2ch.net_Allow
If you still see high CPU utilization after disabling policy coverage, it is needed to change policy not to use nested condition.