Due to this issue:
In new debian releases they deprecated iptables to be included by default, thus as well some packages changed their dependencies to nftables like firewalld, but this will result in a conflict between firewalld and KVM/Qemu:
user@host:~/Downloads$ sudo virsh -c qemu:///system net-start Whonix-External
error: Failed to start network Whonix-External
error: internal error: firewalld is set to use the nftables backend, but the required firewalld 'libvirt' zone is missing. Either set the firewalld backend to 'iptables', or ensure that firewalld has a 'libvirt' zone by upgrading firewalld to a version supporting rule priorities (0.7.0+) and/or rebuilding libvirt with --with-firewalld-zone
To solve this you need to change firewalld backend to iptables instead of nftables:
Edit /etc/firewalld/firewalld.conf (need root), then change:
FirewallBackend=nftables to FirewallBackend=iptables
Then dont forget sudo systemctl restart firewalld.service
Then the virsh command above gonna work after that.