Thank you!

What if I also have rules that have 'Any' in service column? How does unchecking 'Match for Any' affect those rules?

It doesn't affect them at all, it just means that the service ranges you create are not considered when matching services for traffic that hits the rules with 'Any' service in them. 

So if I, say, unclick the 'Match for Any' in FTP port 21, and allow TCP traffic over port 21 on a rule, the firewall will allow the traffic but won't treat is as FTP protocol anymore. Do I understand it correctly?

Then what would happen if I turned it off on all the services in a 5000 rule Policy Package? I mean, why is it needed then?

You can't "just" allow traffic on port 21 without a service object for port 21.  You can create a new TCP service object, give it port 21, do as EmmaP said, and don't assign the protocol type.  You can use this custom service in the rule which the firewall will treat with no further deep packet inspection.

The "match for Any" checkbox is a complex process:

1. For any rules whose Service column is "Any",

2. Find all service objects whose checkboxes are "match for Any",

3. If the port number in the packet matches that object's port number,

4. Apply the deep packet inspection protocol handler.

This means if you have a rule where Service column is "Any", and try something "clever" like "SSH over TCP port 80", the firewall will know this is not an HTTP protocol in the packet payload, so the packet will be blocked.  Similar will apply if you have Service column "http".

So "Any" does not strictly mean "Any".

Now I understand better, thank you.

And a similar principle goes for higher custom ports, am I correct?

Yes, but any port.   1-65535.  Firewall doesn't care about what a "privileged" vs. "non-privileged" port is; that's only meaningful on the host where the port is created.