Although this might seem counter-intuitive, it's not. Those ciphers enable Forward Secrecy and when your SA appliance is behind an SSL-decrypting web app firewall using inline bridge mode or an IDS/IPS using sniffing mode, the use of Diffie-Hellman ciphers causes the WAF and IDS/IPS to go completely blind to the SSL traffic.
So while the use of Forward Secrecy improves the individual client-to-server connection security, it actually can open your entire company to being hacked because application-level attacks via HTTPS will go right through to the SA appliances.
It would be nice if we could actually select the ciphers we want to use and in what server-preferred order.
I full agree !
Is there any way to disable ECDHE and DHE ciphers on Junpier MAG's if required for some customers ?
The request has been logged, and it is a planned feature but not likely to happen until the next major point release of the software according to Kita. With everything up in the air with the merger to pulse secure this may take longer than usual.