[northlandboy]

Ah, that's slightly different if you were using separate rules - your first post implied you had both services in one rule.

As I recall from last time I looked at this, you'll see the accept at first, when it sees the first SYN. The reject comes a little later, when Check Point's seen enough traffic to determine the version.

I'm not quite clear on what you're not quite understanding with the match for any behaviour. You have also noted the advanced service configuration for the ssh_version_2 service, where the protocol type is set to SSH2? When you create a basic tcp/22 service, it has no extra protocol type, so allows all versions.

Oh and rather than checking the clients, you should check the server configuration. Many clients try ssh v2 first, then fall back to v1. The server should offer v2 only. Some people are still using very old clients that only do v1 though.