Identity Awareness costs some RAM, but basically no processor time. Antibot costs RAM but also not a lot of processor time. A toaster could manage 400M of VPN throughput. Threat Emulation doesn't happen on the firewall itself, so again, doesn't take significant processor time.
The most costly part of what you're discussing from a performance standpoint would be the HTTPS inspection (read: TLS interception and decryption). If interior stuff is mostly clear, you avoid the big decryption hit. AV, and URL Filtering are pretty fast once the traffic is clear.
IPS is the next potentially-expensive thing. Certain protections force traffic off the fast path (SecureXL) in the firewall to the medium (PXL) or slow path. Look at the performance impact of the various protections, and consider if the ones with critical performance impact are really needed for your environment.
With only a little tuning, two eight-core processors should be plenty for 20G of mostly-clear throughput with most features enabled for the foreseeable future.
As an aside, I highly recommend thinking about VSX. Every firewall license includes the ability to enable VSX, which helps separate to-traffic (for managing the firewall, Identity Awareness, updates, etc.) from through-traffic. This makes the source of traffic the firewall sends more consistent and predictable. It also lets it act like ASAs, which have one routing table for the management interface and a totally separate routing table for all the other interfaces.
If you do use VSX, try to put everything in bonds. This makes moving between servers or adding interfaces in the future much easier.