The performance you're going to experience is a function of:
- Types of traffic flowing through the gateway (which may or may not be malicious)
- The protection profile in place (what protections are enabled, etc)
If there is more (potentially) malicious traffic flowing and more complex protections are enabled, deeper inspection will need to be done, which will in turn reduce the overall throughput of the gateway.
As to what ratio of traffic goes from first tier to second tier or to even deeper inspection, it really depends on the traffic flow, as you said.