If you are experienced with enabling anti-malware scanning on MWG whether signature based, or the emulation based gateway anti-malware, you know that the anti-malware scanning significantly reduces the overall req/sec capacity of the appliances (physical or virtual). This makes sense because to do thorough anti-malware screening takes a lot of cycles. An appliance with SSL scanning on that is not scanning for anti-malware can typically handle 3x or more of the number of requests that it can handle when SSL scanning is on and all content that can be scanned is being scanned. While best practice is to have SSL scanning on for all but a few selected trusted categories or sites and all downloads that can be scanned, are scanned with Gateway Anti-Malware, this can result in assigning many more dedicated resources to your web gateways just to handle redundancy and short term peaks. These resources will be under-utilized at all other times.
The level of resources (appliances and VMs) required to handle peaks can be dramatically reduced by monitoring the CPU load and either offloading or bursting anti-malware to the Web Gateway Cloud Service (requires WPS, SWE, or CSS licenses for all users) as described here: Load Aware Burst to WGCS Saves Resources and Money. Or by simply blocking or bypassing anti-malware for select sites as described below.
If you don't have a license for Web Gateway Cloud Service and are willing to slightly diminish your security posture and or block non-critical sites in times of peak load, you can dramatically reduce the resources you need to purchase and maintain. The trick is to intelligently use the load awareness feature of the MWG. When CPU loading is high, you can temporarily reduce the load by blocking non-critical sites in the request cycle and/or not scanning trusted sites in business critical categories in the response and embedded cycles. CPULoad is a statistics counter value that can be used in a rule criteria. An example ruleset is attached (recommended placement is after URL Filtering but before any DLP or Anti-malware rulesets) and looks like this(note you do not enable this ruleset in the cloud):