My impression is that fw monitor -F captures traffic directly in the sim driver via a debug filter which is why you can capture fully-accelerated traffic with it.  While running fw monitor -F does place the capturing modules in the chain sequence similar to fw monitor -e, I don't think those modules are actually capturing anything while fw monitor -F is running unless the traffic happens to be F2F and traversing the full chain sequence.  This may also be the case for Medium Path traffic (PSL & CPAS) or even F2V but that is less clear to me.  In the F2F case there could be modifications to the packet visible at I and o->O that the sim driver would not necessarily be able to "see" happening until it reached O and re-entered the sim driver on the outbound side.  So I would assume placing the capturing chain modules while fw monitor -F is running handles this corner case and ensures a full capture of F2F traffic.

In R80.20 some of SecureXL's original responsibilities such as path determination and formation/matching of Accept/NAT templates were moved into the Firewall worker/instances which muddies the waters a bit here, and is why you see SecureXL "chain modules" in the output of fw ctl chain in R80.20+.  The EA release notes for R81.20 state that even more of SecureXL/Performance Pack's functions are being moved out of sim into the Firewall Workers/Instances, but I haven't had a chance to check it out yet.

The first column are the modules number and they are not indicating in which order packets are traversing the firewall? Is it the second column that shows the "order of operation" The fw VM has a absolute value of 0 and operation that takes place before fw VM have a - (minus) hexadecimal number?