Due to the fact that, when PFS is enabled, per-session keys are used, and those keys never exist on the wire, Extrahop is currently unable to perform any decrypt of PFS traffic.
A possible solution to this problem is to only provide PFS up to the first point of contact (ie Load Balancer), then use standard SSL in intermediary layers.
Another impacting trend of late, is the habit of browser vendors to "lock down" on security flaws. A prime example here is Google Chrome, which does not only warn about weak keys, but refuses to allow the user access the site. At this time, Chrome provides NO reliable method that allows users to selectively accept the risks. Google's response appears to be "bad luck, fix the server".
This ultimately will lead to more and more environments using PFS, even for internal traffic.