Firewalld has/had a bug that means it is broken on systems with a non-modular kernel or with certain modules built-in to the kernel. This affects for example VPSs from a number of providers (including rimuhosting.com, linode.com and ovh.com among others.)
There is an upstream bug report at https://github.com/firewalld/firewalld/issues/430
This was fixed in https://github.com/firewalld/firewalld/commit/88e76ddfed6fe348975bfea900... which appears in firewalld 0.8.
Most distros current releases include a buggy version of firewalld, not yet version 0.8 or higher. This affects at least Debian 9, Debian 10 and CentOS 7. And likely current Ubuntu releases as well.
Although the actual bug belongs elsewhere (in firewalld), I would argue it is not ideal for the virtualmin GPL installer to load a firewall that doesn't work.
A symptom of the problem is that after virtualmin has been installed, fail2ban doesn't work. fail2ban does its job and calls firewalld to block problem IP addresses, but firewalld silently does nothing and the addresses are not banned.
The easiest solution to this is to just remove firewalld after a virtualmin install. (I have a workaround for the version of firewalld installed in Debian 10, but it does not work for the version installed in Debian 9). After removing firewalld, fail2ban (and webmin) work fine using iptables.
It is somewhat difficult for me to automate the removal of firewalld once the virtualmin GPL install script has run, it would be better if the script did not load it in the first place.