GlobalProtect app on Android 6.0+ cannot establish VPN connection using IP address
Generate a certificate for GlobalProtect Portal/Gateway that have iPAddress subAltName field, and replace the existing certificates.
The following screen shot shows how to set iPAddress Subject Alternative Name on the Palo Alto Netrwork Next-Generation Firewall.
In generating a certificate, add "IP" Type and input the IP address as the Value in Certificate Attributes field:
The generated certificate shows IP Address value in Subject Alternative Name Field:
Set this certificate for GlobalProtect Portal/Gateway certificates. After that, the VPN connection can be established.
Please see the following guide for deploying GlobalProtect Server Certificate:
Another available workaround is removing the CA certificate from the Android phone (Generally from "Setting > Security > Trusted credentials").
In this case, GlobalProtect app shows "Untrsuted Certificate" warning message once (as shown below), then the connection will be established.
This is not recommended generally because users should check destination Portal/Gateway validity manually.