IMO using a firewall is overrated. Zimbra should have any ports that are a problem closed by default. Hence a firewall will need to allow access to the ports that need to be open anyway.
So, if all your firewall is doing, is allowing access to the ports that are otherwise open, and the rest are closed anyway...
That being said, we use firewalls, and sell them of course! However its important to note its not the main defense, and you need to make sure the Zimbra install itself is up to date, and the operating system has all the security updates applied.