I don't believe this level of granularity is possible as the Check Point negotiates what will be legal in IKE Phase 2 as subnets with all ports and protocols allowed. The Cisco side will need to accept all ports and protocols for the subnets in the "interesting traffic" ACL associated with the VPN tunnel, but then explicitly specify what is allowed into the network after decryption in a separate ACL. There may well be some kind of secret *.def file hack that enables the Check Point to negotiate ports and protocols along with the subnets for a certain peer, but I'm not aware of it. I can't imagine this is the first time something like this has arisen, so it might be worthwhile to have your Check Point SE (not TAC) check with the Solutions Center to see if they have some existing special code that can accomplish this.
It is a bit of a philosophical difference, as far as what will be considered "legal" in the tunnel for IKE negotiation purposes vs. what is actually allowed by the security policy. Kind of like setting up an automatic static NAT which NATs all 65,535 possible ports from one IP address to another, but then controlling which specific ports are allowed to/from that IP address separately in the Network/Firewall policy layer rules.
Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com