I've worked in gigs that wanted that. They were all about segmentation, but wanted ICMP echo / response available throughout.
Edit: I wonder if any "enterprise" firewalls do ICMP echo proxying. Having the firewall replace the payload would remove some of the tunneling capability (thought I assume you could still finagle a side channel by just timing the packets) but would also eliminate some of the utility (since being able to craft the payload provides a way to test for specific bit patterns in packets causing problems).
It’s been years but I’ve likely used NAT to redirect ICMP pings so the local firewall responds rather than whatever boat they were trying to reach.
Systems change - a server that once used to respond to pings may no longer do so, but client software may not be updated to stop doing pings before connecting to the actual service on the server. In an ideal world the client code would be updated, in practice: hello firewall.
Edit: I wonder if any "enterprise" firewalls do ICMP echo proxying. Having the firewall replace the payload would remove some of the tunneling capability (thought I assume you could still finagle a side channel by just timing the packets) but would also eliminate some of the utility (since being able to craft the payload provides a way to test for specific bit patterns in packets causing problems).