Sometime even if the configuration is correct, GlobalProtect users are unable to access internal resources. This situation may result because the subnet assigned to GlobalProtect is used somewhere in the network or there is a routing issue.
A workaround is to put the tunnel interface used in the GlobalProtect configuration in a different zone (GP-VPN) and do a source NAT for desired traffic. Make sure you have a security policy to allow the traffic.
Following is the topology:
GlobalProtect users are in GP-VPN zone, Servers are in DMZ-L3 zone and internal host are in Trust-L3 zone.
If you are try to access the resources in the DMZ-L3 zone, then do a source NAT from GP-VPN to DMZ-L3