Mostly a way to "group" things.
I have a server with 5 interfaces, I only use two of them for https access.
So, I can put two interfaces in a group and put 3 in another group.
I can put source IPs, destination IPs, and services ports in a "zone" as well.
The advantage is, instead of trying to remember what interfaces go with services, and what ports and IPs I want to allow traffic to, I just put all that in a "zone" and assign the rule to the zone.
There is a GUI for firewall-cmd, but I think maybe it's just called "firewall".
View attachment 21021