Not familiar with this at all. Quick dirty cheat sheet for my own reference.

Works as zones, easy enough e.g:
firewall-cmd --get-active-zones
public
interfaces: eth0

So can add zones for different nics or profiles or whatever.

Change interface
firewall-cmd --zone=home --change-interface=eth0

List allowed ports/services
firewall-cmd --list-all

Adding services
firewall-cmd --zone=public --add-service=http
or
firewall-cmd --zone=public --permanent --add-service=http

List services
firewall-cmd --get-services

Or add custom ports:
firewall-cmd --zone=public --add-port=1234/tcp
or
firewall-cmd --zone=public --add-port=1234-5678/tcp

Reload
firewall-cmd --reload

Restart & enable
systemctl restart firewalld
systemctl enable firewalld

Lock down ssh
Had to do this on a non disposable system so locked it down a bit using http://serverfault.com/questions/680780/block-all-but-a-few-ips-with-firewalld

firewall-cmd --zone=internal --add-service=ssh --permanent
firewall-cmd --zone=internal --add-source=xxx.xxx.xxx.xxx/32 --permanent
firewall-cmd --zone=internal --add-source=xxx.xxx.xxx.xxx/32 --permanent
firewall-cmd --zone=public --remove-service=ssh --permanent
firewall-cmd --reload