GlobalProtect must be set up on a firewall with an internal IP address sitting behind an edge Internet device:
Internal Network > PAN ( 192.168.10.2/24) > (192.168.10.1/24) Internet Router (18.104.22.168/24)---(22.214.171.124/24) ISP
In the above setup, the Edge Internet Router (126.96.36.199) is performing NAT to the PAN's untrust interface (192.168.10.1). This could also be accomplished via DynDNS in some home/small office environments where the Internet Router is assigned a dynamic IP address from the ISP but via DynDNS always resolves to the latest Dynamic public address received by the Internet router.
For example, homexyz.dyndns.com ->resolves to 188.8.131.52 or to the latest Dynamic public address received by the Internet router.
In such an implementation, the GlobalProtect Portal and GlobalProtect Gateway would be set up on the PAN untrust interface with IP address 192.168.10.2, as shown in the screen shots below:
However, the Client Configuration section under the Portal needs to have the public IP addresses/FQDNs of the edge device as illustrated in the screen shot below. This list of gateways gets pushed to the PC which will try to tunnel and connect to them.