Find the reason for an RDP certificate change (attack in the middle?)

I've installed new networking equipment: firewalls, switches, virtual LANs, and so on. I will not mention the name of the brand here, because I do not want to hurt them by my suspicions.

Immediately after, I was able to switch to RDP on a server on my local network without being asked to change my fingerprint.

A day later, however, while I try to connect to this same server, he now asks me to accept a new certificate because the fingerprint has changed.

I suspect that the new network equipment is trying to gather the credentials of my servers by intercepting my RDP sessions in a way that would be transparent other than by the fact that I am quick to accept a modified certificate.

How can I confirm that the source of this fingerprint change is something that has happened on the server I am connecting to, and not because of the new network equipment trying to make an attack middle man type to catalog the identification information should not be curious of)?