You can monitor the logs and look at that fwpolicyid. A sure way is to inspect the client\server-hello. If you see the MiTM forced certificate in the https lock in the browser, than you know a device was in the middle. Review the following
http://socpuppet.blogspot.com/2017/11/ssl-state-cache-msie.html
The left screenshot is a proxy doing MiTM and the right is the correct ca-chain. https://crt.sh/ is a good tool to know the proper cert issuer details btw.
e.g ( to see all cert listed for example.com )
https://crt.sh/?q=%25.example.com
Ken Felix
