Assuming you are in an APCL/URLF policy layer, from an optimization perspective using object "Internet" is just fine (assuming that it is properly defined in your firewall's topology settings). "Any" is what you want to avoid to keep traffic from needlessly getting pulled into the Medium Path (PXL). Perhaps an example will help.
Let's assume that you are using an ordered APCL/URLF policy layer for just those features. I'll use an ordered layer here since most Check Point admins have a fairly easy time understanding how ordered layers work, because R77.30 and earlier gateways operated this way. In addition, right after a R77.30 to R80+ SMS upgrade ordered layers will be the default.
An optimized APCL/URLF policy to maximize high-speed LAN traffic that can be accelerated is generally constructed as follows, if you have an R80.10 gateway Security Zones will make this much easier. Let's assume a firewall with four interfaces and each has a single Security Zone associated with it: Inside1, Inside2, DMZ, Outside. Let's also assume we are doing a blacklist approach for applications, so the Implicit Cleanup Action for this layer is Accept:
Name: Access Exceptions for certain users/groups
Source: Access Role(s) specifying users/groups, set Networks on ALL access roles here to a list of all internal subnets. Do not include DMZs, unfortunately Security Zones can not be specified on the Network tab of an Access Role.
Destination: Outside zone
Applications: Facebook, etc
Action: Accept
Track: Detailed Log
Name: Block Bad Stuff for all users
Source: Inside1, Inside2 zones
Destination: Outside zone
Application: Group of prohibited applications
Action: Drop
Track: Log
Name: Separately log unknown applications (optional)
Source: Inside1, Inside2 zones
Destination: Outside zone
Application: Unknown Traffic
Action: Accept
Track: Detailed Log
Name: Log all else for reporting purposes (optional)
Source: Inside1, Inside2 zones
Destination: Outside zone
Application: Any ("Any Recognized" in R77.30)
Action: Accept
Track: Detailed Log
(Missing cleanup rule - Unmatched traffic will be accepted and not logged)
Notice that traffic flowing in the following directions through the firewall won't match any rule in this policy layer at all and will "fall off" the end of this policy layer and hit the Implicit Cleanup Action of Accept:
Inside1,Inside2 -> DMZ
DMZ -> Inside1,Inside2
Inside1 -> Inside2
Inside2 -> Inside1
This is the desired effect, the high-speed LAN traffic blazing between these zones will not be evaluated by APCL/URLF at all, and is eligible to be fully accelerated by SecureXL in the SXL path. This assumes of course that the policy associated with another blade such as IPS or Threat Prevention does not need to pull that same traffic up into PXL for inspection. Using the tricks shown in my CPX presentation here, IPS/TP can be switched off on the gateway "on the fly" to see if this is indeed the case.
In the TP policy using these same techniques (and so-called "null" TP profiles covered in my book, NOT a TP Exception) can ensure that high-speed LAN traffic does not get unnecessarily dragged into PXL, which is a classic cause of the high Firewall Worker CPU utilization you are seeing.
--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com
Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com