On the external interface pointing towards the ISP you have to use one address of the /30 subnet. With the other 16 addresses you can then do whatever you want:
Use one or more single (/32) addresses for loopbackinterfaces which you use for global protect or IPSec VPN for example
Use these addresses with NAT rules to make internal/DMZ servers publicly available
Create a DMZ zone where you place servers that will get IPs of this public /28 subnet
Split the /28 in 2 /29 and use one for a DMZ and the others for NAT
Hope this helps.
... View more